Improved Single-Key Attacks on 2-GOST

Zheng, Qiuhua; Hu, Yinhao; Pei, Tao; Xu, Shengwang; Yu, Junzhe; Wu, Ting; Shen, Yanzhao; Zeng, Yingpei; Cui, Tingting

doi:https://doi.org/10.1155/2020/8886032

Security and Communication Networks

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8886032 | https://doi.org/10.1155/2020/8886032

Improved Single-Key Attacks on 2-GOST

Qiuhua Zheng,¹Yinhao Hu,¹Tao Pei,²Shengwang Xu,¹Junzhe Yu,¹Ting Wu,¹Yanzhao Shen,^1,3Yingpei Zeng,¹and Tingting Cui¹

Academic Editor: Stelvio Cimato

Received02 Jun 2020

Revised30 Aug 2020

Accepted24 Sept 2020

Published15 Oct 2020

Abstract

GOST, known as GOST-28147-89, was standardized as the Russian encryption standard in 1989. It is a lightweight-friendly cipher and suitable for the resource-constrained environments. However, due to the simplicity of GOST’s key schedule, it encountered reflection attack and fixed point attack. In order to resist such attacks, the designers of GOST proposed a modification of GOST, namely, 2-GOST. This new version changes the order of subkeys in the key schedule and uses concrete S-boxes in round function. But regarding single-key attacks on full-round 2-GOST, Ashur et al. proposed a reflection attack with data of on a weak-key class of size , as well as the fixed point attack and impossible reflection attack with data of for all possible keys. Note that the attacks applicable for all possible keys need the entire plaintext space. In other words, these are codebook attacks. In this paper, we propose single-key attacks on 2-GOST with only about data instead of codebook. Firstly, we apply 2-dimensional meet-in-the-middle attack combined with splice-cut technique on full-round 2-GOST. This attack is applicable for all possible keys, and its data complexity reduces from previous to . Besides that, we apply splice-cut meet-in-the-middle attack on 31-round 2-GOST with only data of . In this attack, we only need 8 bytes of memory, which is negligible.

1. Introduction

GOST block cipher [1] is known as GOST-28147-89 designed during the 1970s by the Soviet Union. It was standardized as the Russian encryption standard in 1989. As a lightweight-friendly block cipher, GOST is suitable for the resource-constrained environments such as RFID tags and sensor nodes.

GOST’s block size is 64 bits and key size is 256 bits. Round function adopts Feistel construction, in which there are a modular addition with subkey, 8 S-boxes and one rotation operation. However, the S-boxes used in GOST are not specified in the standard document. Each industry can use its own secret favored set of S-boxes to enhance the security of GOST. For example, the S-boxes used in the Central Bank of the Russian Federation is known in [2]. Besides that, the key schedule of GOST is extremely simple. 256-bit master key is divided into eight 32-bit words; then the 32-bit subkeys used in different round functions directly extract from these 8-word keys according to a special order.

Due to the simplicity of GOST’s key schedule, two attacks on full-round GOST were published by Isobe in [3] and Dinur et al. in [4] in 2011. In [3], Isobe combined the reflection property and meet-in-the-middle (MITM) attack to propose the single-key attack on full-round GOST. As a result, the key can be recovered with computations and known plaintexts. In [4], Dinur et al. introduced a new fixed point property as well as a better way to improve the attacks on full-round GOST. Given data, the memory complexity can reduce from to with the same time complexity . Given data, the time complexity can be down to . Although these attacks are not practical, they indicate the a priori in security of GOST.

In order to resist reflection attack and fixed point attack, the designers of GOST proposed a modification of GOST block cipher, named, 2-GOST [5]. In the new modification, there are two differences from original GOST. Firstly, the authors retained the same principle for key schedule as in GOST but changed the order of subkeys against existed attacks. Secondly, two concrete S-boxes were specified in the design document of 2-GOST for convenient cryptanalysis and better implementation.

Unfortunately, full-round 2-GOST still encounters reflection attack and fixed point attack. At FSE’17, Ashur et al. [6] proposed single-key attacks on it. Given data, the key can be recovered with computations by reflection attack. However, this attack only works for out of possible keys, which means this is a weak-key attack. For sake of valid for all possible keys, the authors proposed impossible reflection attack and fixed point attack. Both need known plaintexts. In other words, these are codebook attacks, since they use the entire plaintext space. These results are summarized in Table 1.

In this paper, our motivation is to propose attacks on 2-GOST with about data instead of codebook, further to indicate that the key schedule in modification version 2-GOST is not a good choice yet. Our contributions are summarized as follows: 2-dimensional MITM attack on full-round 2-GOST 2-dimensional MITM attack was proposed by Zhu and Gong in [7] to attack KATAN. Then, it has been applied on TWINE [8], GOST [4], and so on. This attack can improve the performance of general MITM attack, but attackers must be careful about the time complexity of accessing tables. In this paper, we apply 2-dimensional MITM attack combined with splice-cut technique [9] on full-round 2-GOST exploiting the weakness in key schedule. This attack is applicable for all possible keys with time complexity of full-round encryptions and memory complexity of bytes. Furthermore, the data reduced from previous (codebook) to chosen plaintexts under single-key setting. The result is shown in Table 1. Splice-cut MITM attack on 31-round 2-GOST Based on some observations on key schedule and modular addition in the round function of 2-GOST. We apply MITM attack combined with splice-cut technique on reduced 31-round 2-GOST ( rounds). This attack is applicable for all possible keys with data complexity of chosen plaintexts and time complexity of full-round encryptions. It is important to stress that we only use 8-byte memory in this attack which is negligible. The result is shown in Table 1.

This paper is organized as follows. In Section 2, we introduce the specifications of GOST and 2-GOST. Then, in Section 3, we briefly describe the general MITM attack, splice-cut MITM attack, and 2-dimensional MITM attack. In Sections 4 and 5, we propose the 2-dimensional MITM attack on full-round 2-GOST and splice-cut MITM attack on 31-round 2-GOST, respectively. Lastly, we summarize this paper in Section 6.

2. Specifications of GOST and 2-GOST

GOST [1] is a bit-wise lightweight block cipher proposed by the Soviet Union. Its block size is 64 bits, key size is 256 bits, and total rounds are 32. GOST adopts Feistel construction as its round function, in which there are a nonlinear layer composed of eight bijective 4-bit S-boxes and a linear layer only containing a left rotation . Especially, subkeys are mixed with internal state by modular addition instead of traditional XOR. Please see the round function depicted in Figure 1.

The S-boxes used in GOST are bijective but not specified in the standard document. Each industry can choose its own secret favored set of S-boxes to enhance the security of GOST. Please refer to an example, the S-boxes used in the Central Bank of the Russian Federation in [2].

GOST’s key schedule is extremely simple. Each subkey uses one word (32 bits) of master key directly. Assume the master key is divided into eight words , each subkey used in round function adopts one of , , …, . In detail, the first 24 rounds periodically use , , …, as subkeys in ascending order; that is, that = , where and . The last 8 rounds use , , …, as subkeys in descending order; that is, that = , . All subkeys are summarized in Table 2.

2-GOST [5] is the modified version of GOST. It was proposed by the same designers of GOST for the purposed of fixing weaknesses in key schedule against reflection attack and fixed point attack. The differences between 2-GOST and GOST are selection of S-boxes and the order of subkeys in the key schedule. Unlike uncertain S-boxes used in GOST, 2-GOST adopts two concrete bijective S-boxes. Since we only use the bijective property of S-box in this paper, we omit the specification of S-box here. Besides that, 2-GOST uses another order of subkeys comparing with GOST, which is summarized in Table 3.

3. Meet-in-the-Middle Attack

In this section, we will briefly recall general meet-in-the-middle (MITM) attack [10] combined with splice-cut technique [9] and 2-dimensional MITM attack [7].

3.1. General MITM Attack

The general MITM attack has two phases, one is the MITM phase and the other one is the brute-force testing phase.

Assume an -bit block cipher with -bit secret key is divided into two subciphers , , while is divided into three key parts , , and . is only used in and is only used in and is the rest of . The framework of general MITM attack is shown in Figure 2 and the steps of this attack is summarized as follows.

(i)MITM phase: given a plaintext-ciphertext .(1)For each possible , guess each possible , then compute , and store all possible into a table indexed by .(2)For each possible , compute the , then access the -th entity of table to extract . Current (, , and ) is a candidate key.(ii)Brute-force testing phase:(1)Test every candidate key with other plaintext/ciphertext pairs until only the right key is remained. After the MITM phase, we get candidate keys. In brute-force testing phase, the attacker exhaustively searches the true key by using extra plaintext/ciphertext pairs. Finally, the time complexity of the attack in total is The required plaintext/ciphertext pairs is , while the memory cost is (, ) memory blocks. Note that the “Partial Matching” technique [9] can be used to improve the performance of some MITM attacks. In such case, the matching point is only bits instead of bits, so some bits of key in , , and need not be involved in.

3.2. Splice-Cut MITM Attack

In the chosen plaintext and chosen ciphertext settings, the first and the last rounds of the block cipher can be regarded as two successive rounds. Aoki and Sasaki applied splice-cut technique into MITM attack [9].

Assume an -bit block cipher with -bit secret key is divided into three subciphers , , and , while is divided into three key parts , , and . is only used in and , is only used in , and is the rest of . The framework of splice-cut MITM attack is shown in Figure 3, and the steps of the attack are summarized as follows:

(i)MITM phase: For each possible , (1)Choose an -bit state value .(2)Guess each possible , then compute the , and store all into a table indexed by .(3)For each possible , compute the , then access the -th entity of table to extract . Current (, , ) is a candidate key.(iii)Brute-force testing phase:(1)Test every candidate key with other plaintext/ciphertext pairs until only the right key is remained. The time and memory complexities are same as those in general MITM attack. However, the data complexity depends on and . Assume that bits of plaintext are not affected by when we compute ; we can fix such bits of plaintext as a constant in advance and then choose suitable . As a result, the data complexity is .

3.3. Dimensional MITM Attack

This attack was proposed in [7]. It is suitable to attack ciphers whose key size is larger than block size.

Assume an -bit block cipher with -bit secret key is divided into four subciphers , , , and . Key part is used in subcipher , . The framework of 2-dimensional MITM attack is shown in Figure 4 and the steps of the attack is summarized as follows.

(i)MITM phase:(1)For each possible , compute , and put into table indexed by the value of ;(2)For each possible , compute , and put into table indexed by the value of ;(3)For each possible value of :(a)For each possible , compute the , and check if is in table . If so, put () into table .(b)For each possible , compute and check if is in table . If so, check if () is also in table . If true, current (, , , ) is a candidate key.(ii)Brute-force testing phase:(1)Test every candidate key with other plaintext/ciphertext pairs until only the right key is remained. For each possible value of a, there are candidate keys remained. After the MITM phase, we totally get candidate keys. In brute-force testing phase, the attacker exhaustively searches the true key by using extra plaintext/ciphertext pairs. Finally, the time complexity of the attack in total is In such attack, the data complexity is , while the memory complexity happens to store tables , .

Remark. In the 2-dimensional MITM attack model, the time of accessing tables is omitted in step 3b. However, it is much possible to be the main time complexity in some attacks. For example, Wen et al. indicated in [11] that the actual time complexity of 2-dimensional MITM attack on TWINE proposed in [8] exceeded the brute-force time. So in our attack on 2-GOST, we will take this part time into consideration.

4. 2-Dimensional MITM Attack on Full-Round 2-GOST

In this section, we apply 2-dimensional MITM attack combined with splice-cut technique on full-round 2-GOST.

Before formally introducing the attack, we firstly illustrate how to decide the partial matching (meeting) point. Along the forward direction, each bit on (, ) can be deduced from (, ) and subkey as follows:where , and denote the -th bit and the -th to -th bits of state X, respectively. From (3), we can find that no bits of are needed to deduce every bit on and at least 4 bits of are involved to deduce one bit on from (, ). Especially, only , , can be deduced by 4 bits of , that is, . In order to guess key bits as few as possible to reduce the attack’s time complexity, (, is a good candidate as matching point. Along the backward direction, the way that each bit on (, ) deduced from (, ) and subkey is similar with that along the forward direction because round function of 2-GOST adapts Feistel construction. Therefore, (, ) is a good candidate as matching point as well. In a short, we select matching points from (, ) and (, ) in our attack.

Next, we start to describe our attack on full-round 2-GOST. Its framework is shown in Figure 5. Firstly, we divide full-round 2-GOST into 5 subciphers: Round 0, Rounds 1∼12, Rounds 13∼18, Rounds 19∼24, and Rounds 25∼31, denoted as , , , , and , respectively. The actual start point is the input of round 1 instead of the plaintext and two matching points are (, ) and ( ) depicted as in Figures 6 and 7, where denotes the -th to -th bits of state . In order to meet on (, ), there are 224 bits key involved in subciphers and 164 bits of key involved in subcipher . Similarly, In order to meet on (, ), there are bits of key involved in subcipher , and bits key involved in subciphers and . The attack steps are as follows:

(1)Guess each possible , compute the value of (, ) by , and put all possible (, ) into table indexed by (, , , , ¸ ).(2)Guess each possible , compute the value of (, ) by , and put (, ) into table indexed by (, , , , , ).(3)For each possible value of ,(a)Guess each possible compute the value of (, ) by , then extract the entity with index from table , and store (, ) into table indexed by (, , , , , ).(b)Guess each possible , compute the value of (, ) by , then extract the entity from table by index.(c)For each compatible from step 3b, access table by index. If is compatible with , current is a candidate key. Test the candidate key with other plaintext/ciphertext pairs.

In Step 1, the time complexity to build table is full-round encryptions. Since there are entities in table , on average, every entity contains -bit values (, ). Therefore, the memory complexity is bytes. Similarly, in Step 2, the time complexity is about full-round encryptions, and the memory complexity is bytes.

Under each possible value of , on average, possible will be stored into table in Step 3a. Since table has entities by index, each entity contains one value (, ) on average. Thus, the time complexity of Step 3a is full-round encryptions and accesses. Assume one access roughly equals to one-round encryption. Then Step 3a needs full-round encryptions under each possible . Next, in Step 3b, the time complexity is full-round encryptions. Since there are possible remained after step 3b, the time complexity is accesses in Step 3c, that is, full-round encryptions. As a result, the time complexity of MITM phase is full-round encryptions. Meanwhile, there are candidate key remained. In the brute-force testing phase, we need 4 plaintext/ciphertext pairs to filter such candidate keys. The time complexity is . Totally, the time complexity of the whole attack on full-round GOST2 is full-round encryptions. The memory complexity happens to build tables , , and , which is about bytes. Because and -bit involved in , the data complexity is chosen plaintexts.

5. MITM Attack on 31-Round 2-GOST

2-GOST is a modified version of GOST by changing the key schedule to avoid reflection attack and fixed point attack. In this section, we apply the general MITM attack combined with splice-cut technique on 31-round 2-GOST due to the new order of subkeys. By analyzing the key schedule of 2-GOST, we observe the fact that has no chance to be used from Round 2 to Round 13. On the other hand, has no chance to be used from Round 19 to Round 30 as well. Furthermore, Round 0 to Round 2 could be computed without . Based on those observations, we construct a MITM attack on the reduced 31-round 2-GOST. Figure 8 shows an overview of the attack.

In this attack, we divide 31-round 2-GOST into three subciphers: Rounds , Rounds , and Rounds , denoted by , , and , respectively. The actual start point is on (, ), and matching point is on . In order to compute the value of from (, ) forward, there are 124 bits of key except involved, while from ciphertext backward, there are 124 bits of key except involved. Let denote the key bits only used in , denote the key bits only used in and , and denote common key part among three subciphers. Here, = , = , and . In detail, the attack process is as follows (Figure 9).

5.1. Complexity Evaluation

According to (2), in the MITM phase, the time complexity is about 14-round encryptions and 15-round encryptions, which is equal to 31-round encryptions. Meanwhile, in the brute-force testing phase, the time complexity is about 31-round encryptions. Totally, the time complexity of the whole attack is 31-round encryptions. Since , , and are not affected by (depicted in Figure 10); these 32 bits of plaintext can be fixed in advance. Therefore, the data complexity in MITM phase is chosen plaintexts. Regarding the required memory, it mainly happens to build table , which needs about 8 bytes (= bits).

(i)MITM phase: For each possible ,(1)Choose an -bit state value on the input of round 2.(2)Guess each possible , then compute the value on and store into a table indexed by .(3)For each possible , compute the , then check whether there is any value of in the -th entity of . If so, current (, , ) is a candidate key.(ii)Brute-force testing phase:(1)Test every candidate key with other plaintext-ciphertext pairs until only the right key is remained

6. Conclusion

In this paper, we improve the single-key attacks on 2-GOST, a modification of GOST, with data of for all possible keys. Firstly, we apply 2-dimensional MITM attack combined with splice-cut technique on full-round 2-GOST. Its time and memory complexities are encryptions and 256-bit blocks, respectively. Then, we apply splice-cut MITM attack on reduced 31-round 2-GOST. The time complexity is encryptions and memory complexity is negligible. Note that these attacks are still not practical to be implemented, but they indicate that the key schedule in the modification version 2-GOST is not a good choice yet.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

This work was supported by the NSFC Projects (nos. 61902100 and 61902098), Key Research, Development Program of Zhejiang Province (nos. 2020C01078 and 2019C01012), Foundation of Science and Technology on Communication Security Laboratory (no. 6142103190105), and Natural Science Foundation of Zhejiang Province (no. Q20F020063).

References

Russian National Bureau of Standards, Federal Information Processing Standard-Cryptographic Protection—Cryptographic Algorithm, 1989, GOST 28147-89, http://tools.ietf.org/html/rfc5830.
OpenSSL, A Reference Implementation of GOST, http://www.openssl.org/source/.
T. Isobe, “A single-key attack on the full GOST block cipher,” Fast Software Encryption, vol. 6733, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
I. Dinur, O. Dunkelman, and A. Shamir, “Improved attacks on full GOST,” Fast Software Encryption, vol. 7549, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar
A. A. Dmukh, D. M. Dygin, and G. B. Marshalko, “A lightweight-friendly modification of GOST block cipher,” IACR Cryptology ePrint Archive, vol. 2015, p. 65, 2015, https://eprint.iacr.org/2015/065.pdf.
View at: Google Scholar
T. Ashur, A. Bar-On, and D. Orr, “Cryptanalysis of GOST2,” IACR Transactions on Symmetric Cryptology, vol. 1, pp. 203–214, 2017.
View at: Publisher Site | Google Scholar
B. Zhu and G. Gong, “Multidimensional meet-in-the-middle attack and its applications to KATAN32/48/64,” Cryptography and Communications, vol. 6, no. 4, pp. 313–333, 2014.
View at: Publisher Site | Google Scholar
Ö. Boztaş, F. Karakoç, and M. Çoban, “Multidimensional meet-in-the-middle attacks on reduced-round TWINE-128,” Lightweight Cryptography for Security and Privacy. LightSec 2013. LNCS, vol. 8162, Springer, Berlin, Heidelberg, 2013.
View at: Publisher Site | Google Scholar
K. Aoki and Y. Sasaki, “Preimage attacks on one-block MD4, 63-step MD5 and more,” SAC 2008. LNCS, vol. 5381, Springer, Heidelberg, Germany, 2009.
View at: Publisher Site | Google Scholar
W. Diffie and M. E. Hellman, “Special feature exhaustive cryptanalysis of the NBS data encryption standard,” Computer, vol. 10, no. 6, pp. 74–84, 1977.
View at: Publisher Site | Google Scholar
L. Wen, M. Wang, A. Bogdanov, and H. Chen, “Note of multidimensional MITM attack on 25-round TWINE-128,” IACR Cryptology ePrint Archive, vol. 2014, p. 425, 2014, https://eprint.iacr.org/2014/425.pdf.
View at: Google Scholar

Copyright

Copyright © 2020 Qiuhua Zheng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

468

Downloads

614

Citations