Research Article | Open Access
Qiuhua Zheng, Yinhao Hu, Tao Pei, Shengwang Xu, Junzhe Yu, Ting Wu, Yanzhao Shen, Yingpei Zeng, Tingting Cui, "Improved Single-Key Attacks on 2-GOST", Security and Communication Networks, vol. 2020, Article ID 8886032, 10 pages, 2020. https://doi.org/10.1155/2020/8886032
Improved Single-Key Attacks on 2-GOST
GOST, known as GOST-28147-89, was standardized as the Russian encryption standard in 1989. It is a lightweight-friendly cipher and suitable for the resource-constrained environments. However, due to the simplicity of GOST’s key schedule, it encountered reflection attack and fixed point attack. In order to resist such attacks, the designers of GOST proposed a modification of GOST, namely, 2-GOST. This new version changes the order of subkeys in the key schedule and uses concrete S-boxes in round function. But regarding single-key attacks on full-round 2-GOST, Ashur et al. proposed a reflection attack with data of on a weak-key class of size , as well as the fixed point attack and impossible reflection attack with data of for all possible keys. Note that the attacks applicable for all possible keys need the entire plaintext space. In other words, these are codebook attacks. In this paper, we propose single-key attacks on 2-GOST with only about data instead of codebook. Firstly, we apply 2-dimensional meet-in-the-middle attack combined with splice-cut technique on full-round 2-GOST. This attack is applicable for all possible keys, and its data complexity reduces from previous to . Besides that, we apply splice-cut meet-in-the-middle attack on 31-round 2-GOST with only data of . In this attack, we only need 8 bytes of memory, which is negligible.
GOST block cipher  is known as GOST-28147-89 designed during the 1970s by the Soviet Union. It was standardized as the Russian encryption standard in 1989. As a lightweight-friendly block cipher, GOST is suitable for the resource-constrained environments such as RFID tags and sensor nodes.
GOST’s block size is 64 bits and key size is 256 bits. Round function adopts Feistel construction, in which there are a modular addition with subkey, 8 S-boxes and one rotation operation. However, the S-boxes used in GOST are not specified in the standard document. Each industry can use its own secret favored set of S-boxes to enhance the security of GOST. For example, the S-boxes used in the Central Bank of the Russian Federation is known in . Besides that, the key schedule of GOST is extremely simple. 256-bit master key is divided into eight 32-bit words; then the 32-bit subkeys used in different round functions directly extract from these 8-word keys according to a special order.
Due to the simplicity of GOST’s key schedule, two attacks on full-round GOST were published by Isobe in  and Dinur et al. in  in 2011. In , Isobe combined the reflection property and meet-in-the-middle (MITM) attack to propose the single-key attack on full-round GOST. As a result, the key can be recovered with computations and known plaintexts. In , Dinur et al. introduced a new fixed point property as well as a better way to improve the attacks on full-round GOST. Given data, the memory complexity can reduce from to with the same time complexity . Given data, the time complexity can be down to . Although these attacks are not practical, they indicate the a priori in security of GOST.
In order to resist reflection attack and fixed point attack, the designers of GOST proposed a modification of GOST block cipher, named, 2-GOST . In the new modification, there are two differences from original GOST. Firstly, the authors retained the same principle for key schedule as in GOST but changed the order of subkeys against existed attacks. Secondly, two concrete S-boxes were specified in the design document of 2-GOST for convenient cryptanalysis and better implementation.
Unfortunately, full-round 2-GOST still encounters reflection attack and fixed point attack. At FSE’17, Ashur et al.  proposed single-key attacks on it. Given data, the key can be recovered with computations by reflection attack. However, this attack only works for out of possible keys, which means this is a weak-key attack. For sake of valid for all possible keys, the authors proposed impossible reflection attack and fixed point attack. Both need known plaintexts. In other words, these are codebook attacks, since they use the entire plaintext space. These results are summarized in Table 1.
(i) The unit of time complexity is one full-round encryption; (ii) 2D MITM: 2-dimensional meet-in-the-middle attack; (iii) CP: chosen plaintext; KP: known plaintext.
In this paper, our motivation is to propose attacks on 2-GOST with about data instead of codebook, further to indicate that the key schedule in modification version 2-GOST is not a good choice yet. Our contributions are summarized as follows: 2-dimensional MITM attack on full-round 2-GOST 2-dimensional MITM attack was proposed by Zhu and Gong in  to attack KATAN. Then, it has been applied on TWINE , GOST , and so on. This attack can improve the performance of general MITM attack, but attackers must be careful about the time complexity of accessing tables. In this paper, we apply 2-dimensional MITM attack combined with splice-cut technique  on full-round 2-GOST exploiting the weakness in key schedule. This attack is applicable for all possible keys with time complexity of full-round encryptions and memory complexity of bytes. Furthermore, the data reduced from previous (codebook) to chosen plaintexts under single-key setting. The result is shown in Table 1. Splice-cut MITM attack on 31-round 2-GOST Based on some observations on key schedule and modular addition in the round function of 2-GOST. We apply MITM attack combined with splice-cut technique on reduced 31-round 2-GOST ( rounds). This attack is applicable for all possible keys with data complexity of chosen plaintexts and time complexity of full-round encryptions. It is important to stress that we only use 8-byte memory in this attack which is negligible. The result is shown in Table 1.
This paper is organized as follows. In Section 2, we introduce the specifications of GOST and 2-GOST. Then, in Section 3, we briefly describe the general MITM attack, splice-cut MITM attack, and 2-dimensional MITM attack. In Sections 4 and 5, we propose the 2-dimensional MITM attack on full-round 2-GOST and splice-cut MITM attack on 31-round 2-GOST, respectively. Lastly, we summarize this paper in Section 6.
2. Specifications of GOST and 2-GOST
GOST  is a bit-wise lightweight block cipher proposed by the Soviet Union. Its block size is 64 bits, key size is 256 bits, and total rounds are 32. GOST adopts Feistel construction as its round function, in which there are a nonlinear layer composed of eight bijective 4-bit S-boxes and a linear layer only containing a left rotation . Especially, subkeys are mixed with internal state by modular addition instead of traditional XOR. Please see the round function depicted in Figure 1.
The S-boxes used in GOST are bijective but not specified in the standard document. Each industry can choose its own secret favored set of S-boxes to enhance the security of GOST. Please refer to an example, the S-boxes used in the Central Bank of the Russian Federation in .
GOST’s key schedule is extremely simple. Each subkey uses one word (32 bits) of master key directly. Assume the master key is divided into eight words , each subkey used in round function adopts one of , , …, . In detail, the first 24 rounds periodically use , , …, as subkeys in ascending order; that is, that = , where and . The last 8 rounds use , , …, as subkeys in descending order; that is, that = , . All subkeys are summarized in Table 2.
2-GOST  is the modified version of GOST. It was proposed by the same designers of GOST for the purposed of fixing weaknesses in key schedule against reflection attack and fixed point attack. The differences between 2-GOST and GOST are selection of S-boxes and the order of subkeys in the key schedule. Unlike uncertain S-boxes used in GOST, 2-GOST adopts two concrete bijective S-boxes. Since we only use the bijective property of S-box in this paper, we omit the specification of S-box here. Besides that, 2-GOST uses another order of subkeys comparing with GOST, which is summarized in Table 3.
3. Meet-in-the-Middle Attack
3.1. General MITM Attack
The general MITM attack has two phases, one is the MITM phase and the other one is the brute-force testing phase.
Assume an -bit block cipher with -bit secret key is divided into two subciphers , , while is divided into three key parts , , and . is only used in and is only used in and is the rest of . The framework of general MITM attack is shown in Figure 2 and the steps of this attack is summarized as follows.
3.2. Splice-Cut MITM Attack
In the chosen plaintext and chosen ciphertext settings, the first and the last rounds of the block cipher can be regarded as two successive rounds. Aoki and Sasaki applied splice-cut technique into MITM attack .
Assume an -bit block cipher with -bit secret key is divided into three subciphers , , and , while is divided into three key parts , , and . is only used in and , is only used in , and is the rest of . The framework of splice-cut MITM attack is shown in Figure 3, and the steps of the attack are summarized as follows:
3.3. Dimensional MITM Attack
This attack was proposed in . It is suitable to attack ciphers whose key size is larger than block size.
Assume an -bit block cipher with -bit secret key is divided into four subciphers , , , and . Key part is used in subcipher , . The framework of 2-dimensional MITM attack is shown in Figure 4 and the steps of the attack is summarized as follows.
Remark. In the 2-dimensional MITM attack model, the time of accessing tables is omitted in step 3b. However, it is much possible to be the main time complexity in some attacks. For example, Wen et al. indicated in  that the actual time complexity of 2-dimensional MITM attack on TWINE proposed in  exceeded the brute-force time. So in our attack on 2-GOST, we will take this part time into consideration.
4. 2-Dimensional MITM Attack on Full-Round 2-GOST
In this section, we apply 2-dimensional MITM attack combined with splice-cut technique on full-round 2-GOST.
Before formally introducing the attack, we firstly illustrate how to decide the partial matching (meeting) point. Along the forward direction, each bit on (, ) can be deduced from (, ) and subkey as follows:where , and denote the -th bit and the -th to -th bits of state X, respectively. From (3), we can find that no bits of are needed to deduce every bit on and at least 4 bits of are involved to deduce one bit on from (, ). Especially, only , , can be deduced by 4 bits of , that is, . In order to guess key bits as few as possible to reduce the attack’s time complexity, (, is a good candidate as matching point. Along the backward direction, the way that each bit on (, ) deduced from (, ) and subkey is similar with that along the forward direction because round function of 2-GOST adapts Feistel construction. Therefore, (, ) is a good candidate as matching point as well. In a short, we select matching points from (, ) and (, ) in our attack.
Next, we start to describe our attack on full-round 2-GOST. Its framework is shown in Figure 5. Firstly, we divide full-round 2-GOST into 5 subciphers: Round 0, Rounds 1∼12, Rounds 13∼18, Rounds 19∼24, and Rounds 25∼31, denoted as , , , , and , respectively. The actual start point is the input of round 1 instead of the plaintext and two matching points are (, ) and ( ) depicted as in Figures 6 and 7, where denotes the -th to -th bits of state . In order to meet on (, ), there are 224 bits key involved in subciphers and 164 bits of key involved in subcipher . Similarly, In order to meet on (, ), there are bits of key involved in subcipher , and bits key involved in subciphers and . The attack steps are as follows:
In Step 1, the time complexity to build table is full-round encryptions. Since there are entities in table , on average, every entity contains -bit values (, ). Therefore, the memory complexity is bytes. Similarly, in Step 2, the time complexity is about full-round encryptions, and the memory complexity is bytes.
Under each possible value of , on average, possible will be stored into table in Step 3a. Since table has entities by index, each entity contains one value (, ) on average. Thus, the time complexity of Step 3a is full-round encryptions and accesses. Assume one access roughly equals to one-round encryption. Then Step 3a needs full-round encryptions under each possible . Next, in Step 3b, the time complexity is full-round encryptions. Since there are possible remained after step 3b, the time complexity is accesses in Step 3c, that is, full-round encryptions. As a result, the time complexity of MITM phase is full-round encryptions. Meanwhile, there are candidate key remained. In the brute-force testing phase, we need 4 plaintext/ciphertext pairs to filter such candidate keys. The time complexity is . Totally, the time complexity of the whole attack on full-round GOST2 is full-round encryptions. The memory complexity happens to build tables , , and , which is about bytes. Because and -bit involved in , the data complexity is chosen plaintexts.
5. MITM Attack on 31-Round 2-GOST
2-GOST is a modified version of GOST by changing the key schedule to avoid reflection attack and fixed point attack. In this section, we apply the general MITM attack combined with splice-cut technique on 31-round 2-GOST due to the new order of subkeys. By analyzing the key schedule of 2-GOST, we observe the fact that has no chance to be used from Round 2 to Round 13. On the other hand, has no chance to be used from Round 19 to Round 30 as well. Furthermore, Round 0 to Round 2 could be computed without . Based on those observations, we construct a MITM attack on the reduced 31-round 2-GOST. Figure 8 shows an overview of the attack.
In this attack, we divide 31-round 2-GOST into three subciphers: Rounds , Rounds , and Rounds , denoted by , , and , respectively. The actual start point is on (, ), and matching point is on . In order to compute the value of from (, ) forward, there are 124 bits of key except involved, while from ciphertext backward, there are 124 bits of key except involved. Let denote the key bits only used in , denote the key bits only used in and , and denote common key part among three subciphers. Here, = , = , and . In detail, the attack process is as follows (Figure 9).
5.1. Complexity Evaluation
According to (2), in the MITM phase, the time complexity is about 14-round encryptions and 15-round encryptions, which is equal to 31-round encryptions. Meanwhile, in the brute-force testing phase, the time complexity is about 31-round encryptions. Totally, the time complexity of the whole attack is 31-round encryptions. Since , , and are not affected by (depicted in Figure 10); these 32 bits of plaintext can be fixed in advance. Therefore, the data complexity in MITM phase is chosen plaintexts. Regarding the required memory, it mainly happens to build table , which needs about 8 bytes (= bits).
In this paper, we improve the single-key attacks on 2-GOST, a modification of GOST, with data of for all possible keys. Firstly, we apply 2-dimensional MITM attack combined with splice-cut technique on full-round 2-GOST. Its time and memory complexities are encryptions and 256-bit blocks, respectively. Then, we apply splice-cut MITM attack on reduced 31-round 2-GOST. The time complexity is encryptions and memory complexity is negligible. Note that these attacks are still not practical to be implemented, but they indicate that the key schedule in the modification version 2-GOST is not a good choice yet.
The data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare no conflicts of interest.
This work was supported by the NSFC Projects (nos. 61902100 and 61902098), Key Research, Development Program of Zhejiang Province (nos. 2020C01078 and 2019C01012), Foundation of Science and Technology on Communication Security Laboratory (no. 6142103190105), and Natural Science Foundation of Zhejiang Province (no. Q20F020063).
- Russian National Bureau of Standards, Federal Information Processing Standard-Cryptographic Protection—Cryptographic Algorithm, 1989, GOST 28147-89, http://tools.ietf.org/html/rfc5830.
- OpenSSL, A Reference Implementation of GOST, http://www.openssl.org/source/.
- T. Isobe, “A single-key attack on the full GOST block cipher,” Fast Software Encryption, vol. 6733, Springer, Berlin, Germany, 2011.
- I. Dinur, O. Dunkelman, and A. Shamir, “Improved attacks on full GOST,” Fast Software Encryption, vol. 7549, Springer, Berlin, Germany, 2012.
- A. A. Dmukh, D. M. Dygin, and G. B. Marshalko, “A lightweight-friendly modification of GOST block cipher,” IACR Cryptology ePrint Archive, vol. 2015, p. 65, 2015, https://eprint.iacr.org/2015/065.pdf.
- T. Ashur, A. Bar-On, and D. Orr, “Cryptanalysis of GOST2,” IACR Transactions on Symmetric Cryptology, vol. 1, pp. 203–214, 2017.
- B. Zhu and G. Gong, “Multidimensional meet-in-the-middle attack and its applications to KATAN32/48/64,” Cryptography and Communications, vol. 6, no. 4, pp. 313–333, 2014.
- Ö. Boztaş, F. Karakoç, and M. Çoban, “Multidimensional meet-in-the-middle attacks on reduced-round TWINE-128,” Lightweight Cryptography for Security and Privacy. LightSec 2013. LNCS, vol. 8162, Springer, Berlin, Heidelberg, 2013.
- K. Aoki and Y. Sasaki, “Preimage attacks on one-block MD4, 63-step MD5 and more,” SAC 2008. LNCS, vol. 5381, Springer, Heidelberg, Germany, 2009.
- W. Diffie and M. E. Hellman, “Special feature exhaustive cryptanalysis of the NBS data encryption standard,” Computer, vol. 10, no. 6, pp. 74–84, 1977.
- L. Wen, M. Wang, A. Bogdanov, and H. Chen, “Note of multidimensional MITM attack on 25-round TWINE-128,” IACR Cryptology ePrint Archive, vol. 2014, p. 425, 2014, https://eprint.iacr.org/2014/425.pdf.
Copyright © 2020 Qiuhua Zheng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.