A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet...
Transcript of A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet...
![Page 1: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/1.jpg)
A Single Key Attack
on the Full GOST Block Cipher
Takanori ISOBE
Sony Corporation
FSE 2011
![Page 2: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/2.jpg)
Outline
Background and Result
GOST Block Cipher
Known Techniques
3-subset Meet in the Middle Attack
Reflection Attack
Reflection-MITM attack (R-MITM)
R-MITM attack on the Full GOST Block cipher
Equivalent-key technique for enhancing the attack
Conclusion
Sony Corporation
![Page 3: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/3.jpg)
Background
GOST Block CipherSoviet Encryption Standard “GOST 28147-89”.
Standardized in 1989 as the Russian Encryption Standard.
(Russian DES ).
Implementation AspectRecently, Poschmann et.al. show the 650-GE H/W implementation.
@CHES 2010
Considered as Ultra light weight Block cipher such as KATAN family
and PRESENT.
650 GE implementation supports only hard-wired fixed key
(single key model).
Sony Corporation
![Page 4: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/4.jpg)
Cryptanalysis
Key Setting
Type of Attack Round Complexity Data Paper
Single Key
Differential 13 - 251 (CP) [28]
Slide 24 263 264 − 218 (KP) [2]
Slide 30 2254 264 − 218 (KP) [2]
Reflection 30 2224 232 (KP) [17]
Single Key(Weak key)
Slide (2128 weak keys) 32 (full) 263 263 (ACP) [2]
Reflectction(2224 weak keys)
32 (full) 2192 232 (CP) [17]
Related KeyDifferential 21 Not given 256 (CP) [28]
Differential 32 (full) 2224 235 (CP) [19]
Boomerang 32 (full) 2248 27.5 (CP) [15]
Sony Corporation
In spite of considerable efforts, there is no key recovery attack
on full GOST in the single (fixed) key model without weak keys.
![Page 5: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/5.jpg)
Cryptanalysis
Key Setting
Type of Attack Round Complexity Data Paper
Single Key
Differential 13 - 251 (CP) [28]
Slide 24 263 264 − 218 (KP) [2]
Slide 30 2254 264 − 218 (KP) [2]
Reflection 30 2224 232 (KP) [17]
Reflection-MITM 32 (full) 2225 232 (KP) Ours
Single Key(Weak key)
Slide (2128 weak keys) 32 (full) 263 263 (ACP) [2]
Reflectction(2224 weak keys)
32 (full) 2192 232 (CP) [17]
A first single-key attack on the full GOST block cipher.(work for all key classes)
Sony Corporation
Related KeyDifferential 21 Not given 256 (CP) [28]
Differential 32 (full) 2224 235 (CP) [19]
Boomerang 32 (full) 2248 27.5 (CP) [15]
![Page 6: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/6.jpg)
Structure of GOST
Round function
Round function
Round function
Round function
Swap
Plain text
Rk1
…
Rk2
Rk31
Rk32
Cipher text
Master key = K1||K2||…||K8
64
64
32
64
32-round Feistel Structure with 64-bit block and 256-bit key
256 bit 32 bit × 8
<<<11
S1
S2
S8
…
Rki
Sony Corporation
Key schedule
![Page 7: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/7.jpg)
Known Techniques
Sony Corporation
- 3 subset MITM attack
- Reflection attack
![Page 8: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/8.jpg)
3-Subset Meet-in-the-Middle Attack
[General]
Proposed by Bogdanov and Rechberger @SAC2010.
Applied to KTANTAN-32/48/64.
[Technical aspect]
Construct 3-subsets of key bits to mount the MITM approach.
Based on recent techniques of preimage attacks of hash functions.
Sony Corporation
![Page 9: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/9.jpg)
3-Subset Meet-in-the-Middle Attack
2l -b2l1
Surviving Key
Space
Master KeySpace
MITMStage
Key TestingStage
Correct key
Sony Corporation
@ MITM stage : Filter out part of wrong keys by using MITM techniques@ Key testing stage : Find the correct key in the brute force manner.
Consists of two stages : MITM stage ⇒ Key testing stage
l : key size in bit
b: block size in bit
![Page 10: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/10.jpg)
MITM Stage
Plain text Block cipher
Divide the Block cipher into 2 sub functions.
Cipher text
Master Key
# Block cipher : l bit master key and n bit block size
l
n
Sony Corporation
![Page 11: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/11.jpg)
MITM Stage
Plain textSub
Func. 1
Divide the Block cipher into 2 sub functions
Cipher textSub
Func. 2
n
Master Key
Sony Corporation
![Page 12: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/12.jpg)
MITM Stage
Plain textSub
Func. 1
Divide the Block cipher into 2 sub functions
Cipher text
K1
SubFunc. 2
K2
K1 K2
K1: sub set of key bits used in Sub Func. 1.K2: sub set of key bits used in Sub Func. 2.
n
Sony Corporation
![Page 13: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/13.jpg)
MITM Stage
Plain textSub
Func. 1
Construct 3-subset of master key, A0, A1, A2
Cipher text
K1
SubFunc. 2
K2
K1 K2
A0 = K1∩K2A1 = K1/(K1∩K2)A2 = K2/(K1∩K2)
A0A1 A2
n
Sony Corporation
K1: sub set of key bits used in Sub Func. 1.K2: sub set of key bits used in Sub Func. 2.
![Page 14: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/14.jpg)
MITM Stage
Plain textSub
Func. 1
Construct 3-subset of master key, A0, A1, A2
Cipher text
A1, A0 (=K1)
SubFunc. 2
K1 K2
A0 = K1∩K2A1 = K1/(K1∩K2)A2 = K2/(K1∩K2)
A0A1 A2
A2, A0 (=K2)
n
Sony Corporation
K1: sub set of key bits used in Sub Func. 1.K2: sub set of key bits used in Sub Func. 2.
![Page 15: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/15.jpg)
MITM Stage
Plain textSub
Func. 1
Mount the MITM approach by using , A0, A1, A2
Cipher text
A1, A0 (=K1)
SubFunc. 2
A2, A0 (=K2)
1. Guess the value of A02. Compute v for all value of A1 and make a table (A1, v ) pairs3. Compute u for all value of A24. If v = u, then regard (A0, A1, A2) as key candidates5. Repeat 2-4 with all value of A0 (2|A0|times)
v un
Sony Corporation
K1 K2
A0A1 A2
![Page 16: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/16.jpg)
MITM Stage
Plain textSub
Func. 1
Mount the MITM approach by using , A0, A1, A2
Cipher text
A1, A0 (=K1)
SubFunc. 2
A2, A0 (=K2)
1. Guess the value of A02. Compute v for all value of A1 and make a table (A1, v ) pairs3. Compute u for all value of A24. If v = u, then regard (A0, A1, A2) as key candidates5. Repeat 2-4 with all value of A0 (2|A0|times)
v u
# of surviving key candidates :2|A1|+|A2| / 2b×2|A0| = 2l -b
n
Sony Corporation
l : key size in bit
b: block size in bit
K1 K2
A0A1 A2
![Page 17: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/17.jpg)
Key Testing StageTest surviving keys in brute force manner by using additional data.
2l -b2l1
Surviving Key
Space
Master KeySpace
MITMStage
Key TestingStage
Correct key
Sony Corporation
![Page 18: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/18.jpg)
Evaluation
2l -b2l1
Surviving Key
Space
Master KeySpace
MITMStage
Key TestingStage
Correct key
Complexity = 2|A0|(2|A1|+2|A2|) + (2l-b +2l-2b+…) Data = max ( 1 , l/b )
Condition for a successful attack : min (2|A1|, 2|A2|) > 2
The Point of the attack : Find independent sets of master key bit such as A1 and A2
Sony Corporation
![Page 19: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/19.jpg)
Known Techniques
Sony Corporation
- 3 subset MITM attack
- Reflection attack
![Page 20: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/20.jpg)
Reflection Attack
[General]
Introduced by Kara and Manap @ FSE2007.
Applied to Blowfish, GOST and more, so far.
[Technical Aspect]
A technique for constructing fixed points .
Utilize self-similarity of both encryption and decryption round functions. (Slide attack uses self-similarity of only encryption round functions)
Sony Corporation
![Page 21: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/21.jpg)
Reflection AttackConsider the 3 sub functions.
Sony Corporation
Sub func. 1 Sub func. 2 Sub func. 3
![Page 22: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/22.jpg)
Reflection AttackAssume that the Sub func. 3 has involution property.
i.e., Sub func. 3 is same as the inverse of Sub func. 1.
Sony Corporation
Sub func. 1 Sub func. 2 Sub func. 3
Inverse of Sub func. 1
![Page 23: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/23.jpg)
Reflection Attack
X X
Fixed Point
If the Sub func. 2 has fixed points.
Sony Corporation
Sub func. 1 Sub func. 2 Sub func. 3
Inverse of Sub func. 1
![Page 24: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/24.jpg)
Reflection Attack
X X
Fixed Point
Y Y
Local fixed Point of Sub func. 2 is expanded into previous and next rounds.
Sony Corporation
Sub func. 1 Sub func. 2 Sub func. 3
Inverse of Sub func. 1
![Page 25: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/25.jpg)
Reflection-MITM attack
Sony Corporation
![Page 26: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/26.jpg)
Core Idea of the R-MITM AttackSkip some round functions by using the fixed points of the Reflection attack
Plain text Cipher text
Master Key
l
bBlock cipher
The number of fixed point : x
Sony Corporation
![Page 27: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/27.jpg)
Core Idea of the R-MITM Attack
Plain text Cipher text
Master Key
l
bBlock cipher
Probability Pref = x/2b
Block cipher
In one of Pref-1 Plaintext/Ciphertext pairs,
the reflection skip occurs
Reflectionskip
Sony Corporation
Skip some round functions by using the fixed points of the Reflection attack
in = out
The number of fixed point : x
![Page 28: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/28.jpg)
Stages of the R-MITM Attack
Data Collection stage
Collect Pref-1 Plaintext/Ciphertext pairs.
MITM stage and Key testing stage
Mount all collected pair.
Assume that reflection skip occurs.
Plain text Cipher text
Master Key
l
bBlock cipherBlock cipher
Reflectionskip
Sony Corporation
in = out
![Page 29: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/29.jpg)
Stages of the R-MITM Attack
Data Collection stage
Collect Pref-1 Plaintext/Ciphertext pairs.
MITM stage and Key testing stage
Mount all collected pair.
Assume that reflection skip occurs.
Plain text Cipher textb
Block cipherSub 1Reflection
skipSub 1 Sub 2
A1, A0 A2, A0
Sony Corporation
Assume that the reflection skip occurs in used P/C pair
![Page 30: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/30.jpg)
Stages of the R-MITM Attack
Data Collection stage
Collect Pref-1 Plaintext/Ciphertext pairs.
MITM stage and Key testing stage
Mount all collected pair.
Assume that reflection skip occurs.
Plain text Cipher textb
Block cipherSub 1Reflection
skipSub 1 Sub 2
A1, A0 A2, A0
Advantage of R-MITM attack over 3-subset MITM attack
The key bits involved in skipped round can be disregarded!=> it become easier to construct independent key sets.
Sony Corporation
![Page 31: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/31.jpg)
Evaluation
2l -b2l1
Surviving Key
Space
Master KeySpace
MITMStage
Key TestingStage
Correct key
Complexity = ( 2|A0|(2|A1|+2|A2|) + (2l-b +2l-2b+…) ) ×Pref-1
Data = max ( 1 , l/b , Pref-1 )
Condition for a successful attack : min (2|A1|, 2|A2|) > Pref-1
We need to construct large set of independent keys.
Sony Corporation
![Page 32: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/32.jpg)
R-MITM Attack on the Full GOST
Sony Corporation
![Page 33: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/33.jpg)
Application to Full GOST
8round
k1||…||k8
8round 8round 8roundP C
k1||…||k8 k1||…||k8k8||…||k1
reverse order
Sony Corporation
![Page 34: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/34.jpg)
Reflection Property
8round
k1||…||k8
8round 8round 8roundP C
k1||…||k8 k1||…||k8k8||…||k1
reverse order
Reflection property was shown by Kara.
- # of fixed points is 232
Probability Pref = 2-32 (>>2-64)
Sony Corporation
![Page 35: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/35.jpg)
Reflection Skip
8round
k1||…||k8
8roundP C
k1||…||k8
Pref = 2-32
Reflection skip!
Sony Corporation
@Data collection stage: Collect 232 known plaintext/ciphertext pairs
![Page 36: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/36.jpg)
R-MITM Stage
8round
k1||…||k8
8roundP C
k1||…||k8
Sony Corporation
Assume that the reflection skip occurs (Pref = 2-32) for each pair.
![Page 37: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/37.jpg)
R-MITM Stage
8round
k1||…||k8
8roundP C
k1||…||k8
Sony Corporation
Assume that the reflection skip occurs (Pref = 2-32) for each pair.
Condition for a successful attack :min (2|A1|, 2|A2|) >232
K1 K2
A0A1 A2
![Page 38: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/38.jpg)
R-MITM Stage
8round
k1||…||k8
8roundP C
k1||…||k8
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
Sony Corporation
Divide 4-round units.
![Page 39: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/39.jpg)
MITM Stage
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
Sony Corporation
![Page 40: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/40.jpg)
MITM Stage
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
2128 2128K1 K2
Sony Corporation
![Page 41: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/41.jpg)
MITM Stage
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
2128 2128K1 K2
Sony Corporation
In the straightforward method,It is impossible to mount the MITM attack.
Because there are 4 chunks.
Equivalent-key technique
![Page 42: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/42.jpg)
Equivalent Keys
Sony Corporation
4 roundP
k1||…||k4
K1
X
Fix Fix
Define Equivalent keys used for our attack as
“a set of keys that transforms P to X for 4-round unit”
![Page 43: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/43.jpg)
Equivalent Keys
Sony Corporation
4 roundP
k1||…||k4
K1
X
k1F
k2F
k1 : Guess
k3F
k4F
k2 : Guess
k3 : Determine
k4 : Determine
Fix Fix
32 bit
32 bit
32 bit
32 bit
Given the values of P and X, It is easy to find such set.
Define Equivalent keys used for our attack as
“a set of keys that transforms P to X for 4-round unit”
![Page 44: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/44.jpg)
Equivalent Keys
Sony Corporation
4 roundP
k1||…||k4
K1
X
Given the values of P and X, It is easy to find such set.
k1F
k2F
k1 : Guess
k3F
k4F
k2 : Guess
k3 : Determine
k4 : Determine
Fix Fix
32 bit
32 bit
32 bit
32 bit
For each (P, X) pair,there are 264 such equivalent keys
Define Equivalent keys used for our attack as
“a set of keys that transforms P to X for 4-round unit”
![Page 45: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/45.jpg)
Equivalent Keys
Sony Corporation
4 roundP
k1||…||k4
K1
X
Categorize K1 into sets of equivalent keys depending on values of X
K1
Fix 264
a set of equivalent keysincluding 264 keys
264 sets of 264 keys(cover 2128 key space)
2128
![Page 46: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/46.jpg)
Equivalent Keys
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
X
2128K1264
2128K2
Y
Sony Corporation
![Page 47: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/47.jpg)
Effective MITM approachGuess values of X and Y.
Sony Corporation
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
X Y
2128K1264
2128K2
![Page 48: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/48.jpg)
Effective MITM approachChoose two set from K1 and K2, which transform X and Y
Sony Corporation
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
X Y
2128K1264
2128K2
![Page 49: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/49.jpg)
Effective MITM approach
Sony Corporation
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
X
2128K1264
2128K2
Y
Mount the MITM approach in only intermediate 8 round.
![Page 50: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/50.jpg)
Effective MITM approach
Sony Corporation
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
X
2128K1264
2128K2
Y
Mount the MITM approach in only intermediate 8 round.
MITM
The size of independent set is 264 (> 232)
![Page 51: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/51.jpg)
Effective MITM approach
4 round 4 round4 round 4 roundP C
k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8
K1 K2 K1 K2
X
2128K1264
2128K2
Y
Mount the MITM approach in only intermediate 8 round.
Fix Fix
MITM
Repeat these steps with all values of X and Y(2128 (=264×264) times)
Sony Corporation
![Page 52: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/52.jpg)
Evaluation
222422561
Surviving Key
Space
Master KeySpace
MITMStage
Key TestingStage
Correct key
Complexity = 2128(264+264) + (2256-32 +2256-64+…) = 2225
Data = max ( 232 , 8 ) = 232
It is faster than brute force attack (2256)
Sony Corporation
![Page 53: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/53.jpg)
Result
Key Setting
Type of Attack Round Complexity Data Paper
Single Key
Differential 13 - 251 (CP) [28]
Slide 24 263 264 − 218 (KP) [2]
Slide 30 2254 264 − 218 (KP) [2]
Reflection 30 2224 232 (KP) [17]
Reflection-MITM 32 (full) 2225 232 (KP) Ours
Single Key(Weak key)
Slide (2128 weak keys) 32 (full) 263 263 (ACP) [2]
Reflectction(2224 weak keys)
32 (full) 2192 232 (CP) [17]
A first single-key attack on the full GOST block cipher.(work for all key classes)
Sony Corporation
Related KeyDifferential 21 Not given 256 (CP) [28]
Differential 32 (full) 2224 235 (CP) [19]
Boomerang 32 (full) 2248 27.5 (CP) [15]
![Page 54: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/54.jpg)
Conclusion
New attack framework “R-MITM attack”Utilize fixed points to remove some rounds.
Applied “R-MITM” to GOST block cipherAs a result, succeeded in constructing
first single key recovery attack.
Future Works and RemarksApplied it to other block ciphers.
Other property may be used as skip technique
instead of fixed points .
Sony Corporation
![Page 55: A Single Key Attack on the Full GOST Block Cipher Single...Background GOST Block Cipher Soviet Encryption Standard “GOST 28147-89”. Standardized in 1989 as the Russian Encryption](https://reader034.fdocuments.in/reader034/viewer/2022051812/602c898b9dd5725f5b69eee2/html5/thumbnails/55.jpg)
Thank You For Your Attention
Sony Corporation