ABSTRACT Rotational cryptanalysis was introduced by Khovratovich and Nikoli ´c as a tool to analyse ARX-type cipher designs. GOST 28147-89 is a former Soviet Union cipher standard based on a Feistel construction with 32 rounds. Each round function adds the round key modulo 232, transforms the result with 4-to-4 bit S-boxes, and rotates the output. We apply the rotational cryptanalysis to a version of GOST using eight identical S-boxes, such as GOST-PS. We show the existence of (practical) rotational distinguisher in related key model for full GOST. Furthermore, there is a set of weak keys (rotationally symmetric keys) that enables rotational attacks in single-key model as well. Finally, we show a simple attack on the last round that uses the rotational distinguisher to reduce the complexity of the full GOST to 208 bits.
Read full abstract