Research Article  Open Access
Qiuhua Zheng, Yinhao Hu, Tao Pei, Shengwang Xu, Junzhe Yu, Ting Wu, Yanzhao Shen, Yingpei Zeng, Tingting Cui, "Improved SingleKey Attacks on 2GOST", Security and Communication Networks, vol. 2020, Article ID 8886032, 10 pages, 2020. https://doi.org/10.1155/2020/8886032
Improved SingleKey Attacks on 2GOST
Abstract
GOST, known as GOST2814789, was standardized as the Russian encryption standard in 1989. It is a lightweightfriendly cipher and suitable for the resourceconstrained environments. However, due to the simplicity of GOST’s key schedule, it encountered reflection attack and fixed point attack. In order to resist such attacks, the designers of GOST proposed a modification of GOST, namely, 2GOST. This new version changes the order of subkeys in the key schedule and uses concrete Sboxes in round function. But regarding singlekey attacks on fullround 2GOST, Ashur et al. proposed a reflection attack with data of on a weakkey class of size , as well as the fixed point attack and impossible reflection attack with data of for all possible keys. Note that the attacks applicable for all possible keys need the entire plaintext space. In other words, these are codebook attacks. In this paper, we propose singlekey attacks on 2GOST with only about data instead of codebook. Firstly, we apply 2dimensional meetinthemiddle attack combined with splicecut technique on fullround 2GOST. This attack is applicable for all possible keys, and its data complexity reduces from previous to . Besides that, we apply splicecut meetinthemiddle attack on 31round 2GOST with only data of . In this attack, we only need 8 bytes of memory, which is negligible.
1. Introduction
GOST block cipher [1] is known as GOST2814789 designed during the 1970s by the Soviet Union. It was standardized as the Russian encryption standard in 1989. As a lightweightfriendly block cipher, GOST is suitable for the resourceconstrained environments such as RFID tags and sensor nodes.
GOST’s block size is 64 bits and key size is 256 bits. Round function adopts Feistel construction, in which there are a modular addition with subkey, 8 Sboxes and one rotation operation. However, the Sboxes used in GOST are not specified in the standard document. Each industry can use its own secret favored set of Sboxes to enhance the security of GOST. For example, the Sboxes used in the Central Bank of the Russian Federation is known in [2]. Besides that, the key schedule of GOST is extremely simple. 256bit master key is divided into eight 32bit words; then the 32bit subkeys used in different round functions directly extract from these 8word keys according to a special order.
Due to the simplicity of GOST’s key schedule, two attacks on fullround GOST were published by Isobe in [3] and Dinur et al. in [4] in 2011. In [3], Isobe combined the reflection property and meetinthemiddle (MITM) attack to propose the singlekey attack on fullround GOST. As a result, the key can be recovered with computations and known plaintexts. In [4], Dinur et al. introduced a new fixed point property as well as a better way to improve the attacks on fullround GOST. Given data, the memory complexity can reduce from to with the same time complexity . Given data, the time complexity can be down to . Although these attacks are not practical, they indicate the a priori in security of GOST.
In order to resist reflection attack and fixed point attack, the designers of GOST proposed a modification of GOST block cipher, named, 2GOST [5]. In the new modification, there are two differences from original GOST. Firstly, the authors retained the same principle for key schedule as in GOST but changed the order of subkeys against existed attacks. Secondly, two concrete Sboxes were specified in the design document of 2GOST for convenient cryptanalysis and better implementation.
Unfortunately, fullround 2GOST still encounters reflection attack and fixed point attack. At FSE’17, Ashur et al. [6] proposed singlekey attacks on it. Given data, the key can be recovered with computations by reflection attack. However, this attack only works for out of possible keys, which means this is a weakkey attack. For sake of valid for all possible keys, the authors proposed impossible reflection attack and fixed point attack. Both need known plaintexts. In other words, these are codebook attacks, since they use the entire plaintext space. These results are summarized in Table 1.
 
(i) The unit of time complexity is one fullround encryption; (ii) 2D MITM: 2dimensional meetinthemiddle attack; (iii) CP: chosen plaintext; KP: known plaintext. 
In this paper, our motivation is to propose attacks on 2GOST with about data instead of codebook, further to indicate that the key schedule in modification version 2GOST is not a good choice yet. Our contributions are summarized as follows: 2dimensional MITM attack on fullround 2GOST 2dimensional MITM attack was proposed by Zhu and Gong in [7] to attack KATAN. Then, it has been applied on TWINE [8], GOST [4], and so on. This attack can improve the performance of general MITM attack, but attackers must be careful about the time complexity of accessing tables. In this paper, we apply 2dimensional MITM attack combined with splicecut technique [9] on fullround 2GOST exploiting the weakness in key schedule. This attack is applicable for all possible keys with time complexity of fullround encryptions and memory complexity of bytes. Furthermore, the data reduced from previous (codebook) to chosen plaintexts under singlekey setting. The result is shown in Table 1. Splicecut MITM attack on 31round 2GOST Based on some observations on key schedule and modular addition in the round function of 2GOST. We apply MITM attack combined with splicecut technique on reduced 31round 2GOST ( rounds). This attack is applicable for all possible keys with data complexity of chosen plaintexts and time complexity of fullround encryptions. It is important to stress that we only use 8byte memory in this attack which is negligible. The result is shown in Table 1.
This paper is organized as follows. In Section 2, we introduce the specifications of GOST and 2GOST. Then, in Section 3, we briefly describe the general MITM attack, splicecut MITM attack, and 2dimensional MITM attack. In Sections 4 and 5, we propose the 2dimensional MITM attack on fullround 2GOST and splicecut MITM attack on 31round 2GOST, respectively. Lastly, we summarize this paper in Section 6.
2. Specifications of GOST and 2GOST
GOST [1] is a bitwise lightweight block cipher proposed by the Soviet Union. Its block size is 64 bits, key size is 256 bits, and total rounds are 32. GOST adopts Feistel construction as its round function, in which there are a nonlinear layer composed of eight bijective 4bit Sboxes and a linear layer only containing a left rotation . Especially, subkeys are mixed with internal state by modular addition instead of traditional XOR. Please see the round function depicted in Figure 1.
The Sboxes used in GOST are bijective but not specified in the standard document. Each industry can choose its own secret favored set of Sboxes to enhance the security of GOST. Please refer to an example, the Sboxes used in the Central Bank of the Russian Federation in [2].
GOST’s key schedule is extremely simple. Each subkey uses one word (32 bits) of master key directly. Assume the master key is divided into eight words , each subkey used in round function adopts one of , , …, . In detail, the first 24 rounds periodically use , , …, as subkeys in ascending order; that is, that = , where and . The last 8 rounds use , , …, as subkeys in descending order; that is, that = , . All subkeys are summarized in Table 2.

2GOST [5] is the modified version of GOST. It was proposed by the same designers of GOST for the purposed of fixing weaknesses in key schedule against reflection attack and fixed point attack. The differences between 2GOST and GOST are selection of Sboxes and the order of subkeys in the key schedule. Unlike uncertain Sboxes used in GOST, 2GOST adopts two concrete bijective Sboxes. Since we only use the bijective property of Sbox in this paper, we omit the specification of Sbox here. Besides that, 2GOST uses another order of subkeys comparing with GOST, which is summarized in Table 3.

3. MeetintheMiddle Attack
In this section, we will briefly recall general meetinthemiddle (MITM) attack [10] combined with splicecut technique [9] and 2dimensional MITM attack [7].
3.1. General MITM Attack
The general MITM attack has two phases, one is the MITM phase and the other one is the bruteforce testing phase.
Assume an bit block cipher with bit secret key is divided into two subciphers , , while is divided into three key parts , , and . is only used in and is only used in and is the rest of . The framework of general MITM attack is shown in Figure 2 and the steps of this attack is summarized as follows.
3.2. SpliceCut MITM Attack
In the chosen plaintext and chosen ciphertext settings, the first and the last rounds of the block cipher can be regarded as two successive rounds. Aoki and Sasaki applied splicecut technique into MITM attack [9].
Assume an bit block cipher with bit secret key is divided into three subciphers , , and , while is divided into three key parts , , and . is only used in and , is only used in , and is the rest of . The framework of splicecut MITM attack is shown in Figure 3, and the steps of the attack are summarized as follows:
3.3. Dimensional MITM Attack
This attack was proposed in [7]. It is suitable to attack ciphers whose key size is larger than block size.
Assume an bit block cipher with bit secret key is divided into four subciphers , , , and . Key part is used in subcipher , . The framework of 2dimensional MITM attack is shown in Figure 4 and the steps of the attack is summarized as follows.
Remark. In the 2dimensional MITM attack model, the time of accessing tables is omitted in step 3b. However, it is much possible to be the main time complexity in some attacks. For example, Wen et al. indicated in [11] that the actual time complexity of 2dimensional MITM attack on TWINE proposed in [8] exceeded the bruteforce time. So in our attack on 2GOST, we will take this part time into consideration.
4. 2Dimensional MITM Attack on FullRound 2GOST
In this section, we apply 2dimensional MITM attack combined with splicecut technique on fullround 2GOST.
Before formally introducing the attack, we firstly illustrate how to decide the partial matching (meeting) point. Along the forward direction, each bit on (, ) can be deduced from (, ) and subkey as follows:where , and denote the th bit and the th to th bits of state X, respectively. From (3), we can find that no bits of are needed to deduce every bit on and at least 4 bits of are involved to deduce one bit on from (, ). Especially, only , , can be deduced by 4 bits of , that is, . In order to guess key bits as few as possible to reduce the attack’s time complexity, (, is a good candidate as matching point. Along the backward direction, the way that each bit on (, ) deduced from (, ) and subkey is similar with that along the forward direction because round function of 2GOST adapts Feistel construction. Therefore, (, ) is a good candidate as matching point as well. In a short, we select matching points from (, ) and (, ) in our attack.
Next, we start to describe our attack on fullround 2GOST. Its framework is shown in Figure 5. Firstly, we divide fullround 2GOST into 5 subciphers: Round 0, Rounds 1∼12, Rounds 13∼18, Rounds 19∼24, and Rounds 25∼31, denoted as , , , , and , respectively. The actual start point is the input of round 1 instead of the plaintext and two matching points are (, ) and ( ) depicted as in Figures 6 and 7, where denotes the th to th bits of state . In order to meet on (, ), there are 224 bits key involved in subciphers and 164 bits of key involved in subcipher . Similarly, In order to meet on (, ), there are bits of key involved in subcipher , and bits key involved in subciphers and . The attack steps are as follows:
In Step 1, the time complexity to build table is fullround encryptions. Since there are entities in table , on average, every entity contains bit values (, ). Therefore, the memory complexity is bytes. Similarly, in Step 2, the time complexity is about fullround encryptions, and the memory complexity is bytes.
Under each possible value of , on average, possible will be stored into table in Step 3a. Since table has entities by index, each entity contains one value (, ) on average. Thus, the time complexity of Step 3a is fullround encryptions and accesses. Assume one access roughly equals to oneround encryption. Then Step 3a needs fullround encryptions under each possible . Next, in Step 3b, the time complexity is fullround encryptions. Since there are possible remained after step 3b, the time complexity is accesses in Step 3c, that is, fullround encryptions. As a result, the time complexity of MITM phase is fullround encryptions. Meanwhile, there are candidate key remained. In the bruteforce testing phase, we need 4 plaintext/ciphertext pairs to filter such candidate keys. The time complexity is . Totally, the time complexity of the whole attack on fullround GOST2 is fullround encryptions. The memory complexity happens to build tables , , and , which is about bytes. Because and bit involved in , the data complexity is chosen plaintexts.
5. MITM Attack on 31Round 2GOST
2GOST is a modified version of GOST by changing the key schedule to avoid reflection attack and fixed point attack. In this section, we apply the general MITM attack combined with splicecut technique on 31round 2GOST due to the new order of subkeys. By analyzing the key schedule of 2GOST, we observe the fact that has no chance to be used from Round 2 to Round 13. On the other hand, has no chance to be used from Round 19 to Round 30 as well. Furthermore, Round 0 to Round 2 could be computed without . Based on those observations, we construct a MITM attack on the reduced 31round 2GOST. Figure 8 shows an overview of the attack.
In this attack, we divide 31round 2GOST into three subciphers: Rounds , Rounds , and Rounds , denoted by , , and , respectively. The actual start point is on (, ), and matching point is on . In order to compute the value of from (, ) forward, there are 124 bits of key except involved, while from ciphertext backward, there are 124 bits of key except involved. Let denote the key bits only used in , denote the key bits only used in and , and denote common key part among three subciphers. Here, = , = , and . In detail, the attack process is as follows (Figure 9).
5.1. Complexity Evaluation
According to (2), in the MITM phase, the time complexity is about 14round encryptions and 15round encryptions, which is equal to 31round encryptions. Meanwhile, in the bruteforce testing phase, the time complexity is about 31round encryptions. Totally, the time complexity of the whole attack is 31round encryptions. Since , , and are not affected by (depicted in Figure 10); these 32 bits of plaintext can be fixed in advance. Therefore, the data complexity in MITM phase is chosen plaintexts. Regarding the required memory, it mainly happens to build table , which needs about 8 bytes (= bits).
6. Conclusion
In this paper, we improve the singlekey attacks on 2GOST, a modification of GOST, with data of for all possible keys. Firstly, we apply 2dimensional MITM attack combined with splicecut technique on fullround 2GOST. Its time and memory complexities are encryptions and 256bit blocks, respectively. Then, we apply splicecut MITM attack on reduced 31round 2GOST. The time complexity is encryptions and memory complexity is negligible. Note that these attacks are still not practical to be implemented, but they indicate that the key schedule in the modification version 2GOST is not a good choice yet.
Data Availability
The data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare no conflicts of interest.
Acknowledgments
This work was supported by the NSFC Projects (nos. 61902100 and 61902098), Key Research, Development Program of Zhejiang Province (nos. 2020C01078 and 2019C01012), Foundation of Science and Technology on Communication Security Laboratory (no. 6142103190105), and Natural Science Foundation of Zhejiang Province (no. Q20F020063).
References
 Russian National Bureau of Standards, Federal Information Processing StandardCryptographic Protection—Cryptographic Algorithm, 1989, GOST 2814789, http://tools.ietf.org/html/rfc5830.
 OpenSSL, A Reference Implementation of GOST, http://www.openssl.org/source/.
 T. Isobe, “A singlekey attack on the full GOST block cipher,” Fast Software Encryption, vol. 6733, Springer, Berlin, Germany, 2011. View at: Publisher Site  Google Scholar
 I. Dinur, O. Dunkelman, and A. Shamir, “Improved attacks on full GOST,” Fast Software Encryption, vol. 7549, Springer, Berlin, Germany, 2012. View at: Publisher Site  Google Scholar
 A. A. Dmukh, D. M. Dygin, and G. B. Marshalko, “A lightweightfriendly modification of GOST block cipher,” IACR Cryptology ePrint Archive, vol. 2015, p. 65, 2015, https://eprint.iacr.org/2015/065.pdf. View at: Google Scholar
 T. Ashur, A. BarOn, and D. Orr, “Cryptanalysis of GOST2,” IACR Transactions on Symmetric Cryptology, vol. 1, pp. 203–214, 2017. View at: Publisher Site  Google Scholar
 B. Zhu and G. Gong, “Multidimensional meetinthemiddle attack and its applications to KATAN32/48/64,” Cryptography and Communications, vol. 6, no. 4, pp. 313–333, 2014. View at: Publisher Site  Google Scholar
 Ö. Boztaş, F. Karakoç, and M. Çoban, “Multidimensional meetinthemiddle attacks on reducedround TWINE128,” Lightweight Cryptography for Security and Privacy. LightSec 2013. LNCS, vol. 8162, Springer, Berlin, Heidelberg, 2013. View at: Publisher Site  Google Scholar
 K. Aoki and Y. Sasaki, “Preimage attacks on oneblock MD4, 63step MD5 and more,” SAC 2008. LNCS, vol. 5381, Springer, Heidelberg, Germany, 2009. View at: Publisher Site  Google Scholar
 W. Diffie and M. E. Hellman, “Special feature exhaustive cryptanalysis of the NBS data encryption standard,” Computer, vol. 10, no. 6, pp. 74–84, 1977. View at: Publisher Site  Google Scholar
 L. Wen, M. Wang, A. Bogdanov, and H. Chen, “Note of multidimensional MITM attack on 25round TWINE128,” IACR Cryptology ePrint Archive, vol. 2014, p. 425, 2014, https://eprint.iacr.org/2014/425.pdf. View at: Google Scholar
Copyright
Copyright © 2020 Qiuhua Zheng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.