International Association for Cryptologic Research

International Association
for Cryptologic Research


Practical-Time Related-Key Attack on GOST with Secret S-boxes

Ariel Weizman , Bar Ilan university
Nathan Keller , Bar Ilan university
Orr Dunkelman , University of Haifa
DOI: 10.1007/978-3-031-38548-3_7 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2023
Abstract: The block cipher GOST 28147-89 was the Russian Federation encryption standard for over 20 years, and is still one of its two standard block ciphers. GOST is a 32-round Feistel construction, whose security benefits from the fact that the S-boxes used in the design are kept secret. In the last 10 years, several attacks on the full 32-round GOST were presented. However, they all assume that the S-boxes are known. When the S-boxes are secret, all published attacks either target a small number of rounds, or apply for small sets of weak keys. In this paper we present the first practical-time attack on GOST with secret S-boxes. The attack works in the related-key model and is faster than all previous attacks in this model which assume that the S-boxes are known. The complexity of the attack is less than $2^{27}$ encryptions. It was fully verified, and runs in a few seconds on a PC. The attack is based on a novel type of related-key differentials of GOST, inspired by local collisions. Our new technique may be applicable to certain GOST-based hash functions as well. To demonstrate this, we show how to find a collision on a Davies-Meyer construction based on GOST with an arbitrary initial value, in less than $2^{10}$ hash function evaluations.
  title={Practical-Time Related-Key Attack on GOST with Secret S-boxes},
  author={Ariel Weizman and Nathan Keller and Orr Dunkelman},