256 Bit Standardized Crypto for 650 GE - GOST Revisited

@inproceedings{Poschmann2010256BS,
  title={256 Bit Standardized Crypto for 650 GE - GOST Revisited},
  author={Axel Poschmann and San Ling and Huaxiong Wang},
  booktitle={CHES},
  year={2010}
}
The former Soviet encryption algorithm GOST 28147-89 has been standardized by the Russian standardization agency in 1989 and extensive security analysis has been done since. So far no weaknesses have been found and GOST is currently under discussion for ISO standardization. Contrary to the cryptographic properties, there has not been much interest in the implementation properties of GOST, though its Feistel structure and the operations of its round function are well-suited for hardware… 

Security Evaluation of GOST 28147-89 in View of International Standardisation

  • N. Courtois
  • Computer Science, Mathematics
    Cryptologia
  • 2012
A new general paradigm for effective symmetric cryptanalysis of so called “Algebraic Complexity Reduction” is presented and suggested, which builds on many already known attacks on symmetric ciphers, such as fixed point, slide, involution, cycling, and other self-similarity attacks.

Algebraic Complexity Reduction and Cryptanalysis of GOST

  • N. Courtois
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2011
Several attacks on full 32-rounds GOST two of which are substantially faster and most of which require much less memory are presented, and it is demonstrated that GOST can also be broken totaly independently from reflection attacks.

Enhanced truncated differential cryptanalysis of GOST

A basic heuristic methodology and a framework for constructing families of distinguishers are presented and differential sets of a special new form dictated by the specific regular structure of GOST are introduced.

Cryptanalysis of GOST2

It is shown that similar weaknesses exist in the new version of GOST as well, and a fixed-point attack on the full cipher with time complexity of 2 237 encryptions is presented.

Cryptanalysis of GOST 2

It is shown that similar weaknesses exist in the new version of GOST as well, and a fixed-point attack on the full cipher with time complexity of 2237 encryptions is presented.

Cryptanalysis of Two GOST Variants with 128-Bit Keys

  • N. Courtois
  • Computer Science, Mathematics
    Cryptologia
  • 2014
The authors show that both very natural 128-bit variants of GOST are insecure, and all of their attacks are nearly practical.

Propagation of Truncated Differentials in GOST

It is proved that GOST is NOT a Markov cipher though in approximation it still seems to behave like one and a heuristic black-box methodology is proposed for efficient discovery of interesting sets of differentials in GOST and results better than any previously known can be obtained with this methodology.

Advanced Truncated Differential Attacks Against GOST Block Cipher and Its Variants

This paper presents an attack against full GOST for the variant of GOST which is supposed to be the strongest one and uses the set of S-boxes proposed in ISO 18033-3, and is of Depth-First key search style constructed by solving several underlying optimization problems.

An Improved Differential Attack on Full GOST

  • N. Courtois
  • Computer Science, Mathematics
    The New Codebreakers
  • 2016
The main result of this paper is a single-key attack against full 32-round 256-bit GOST with time complexity of $$2^{179}$$ which is substantially faster than any other known single key attack on GOST.

First Differential Attack on Full 32-Round GOST

This paper shows that GOST is not secure even against (advanced forms of) differential cryptanalysis (DC), and shows a first advanced differential attack faster than brute force on full 32-round GOST.
...

References

SHOWING 1-10 OF 40 REFERENCES

ASIC Implementations of the Block Cipher SEA for Constrained Applications

This paper investigates the hardware performances of SEA in a 0.13 µm CMOS technology and illustrates the interest of platform/context-oriented block cipher design and, as far as SEA is concerned, its low area requirements and reasonable efficiency.

Modified S-box to Archive Accelerated GOST

This paper presents the principal algorithm of GOST block with reduced number of rounds, and describes GOST and DES general principal encryptions algorithms for comparison.

New Lightweight DES Variants

A new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single S-box repeated eight times, which is well suited for ultra-constrained devices such as RFID tags.

mCrypton - A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors

A new 64-bit block cipher mCrypton with three key size options (64 bits, 96 bits and 128 bits), specifically designed for use in resource-constrained tiny devices, such as low-cost RFID tags and sensors is presented.

Ultra-Lightweight Implementations for Smart Devices - Security for 1000 Gate Equivalents

This paper presents three different architecture of the ultra-lightweight algorithm present and highlights their suitability for both active and passive smart devices, and presents the implementation results of the serialized architecture, which is the smallest hardware implementation of a cryptographic algorithm with a moderate security level.

AES implementation on a grain of sand

A hardware implementation of the advanced encryption standard (AES) which is optimised for low-resource requirements and nearly ignorable power consumption in combination with the extreme area efficiency allows new fields of applications for AES which were beyond imagination before.

KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers

A new family of very efficient hardware oriented block ciphers divided into two flavors, which is more compact in hardware, as the key is burnt into the device (and cannot be changed), and achieves encryption speed of 12.5 KBit/sec.

Progress in Cryptology - INDOCRYPT 2008, 9th International Conference on Cryptology in India, Kharagpur, India, December 14-17, 2008. Proceedings

A new class of Weak Encryption Exponents in RSA, and another Approach to Pairing Computation in Edwards Coordinates are presented.

PRESENT: An Ultra-Lightweight Block Cipher

An ultra-lightweight block cipher, present, which is competitive with today's leading compact stream ciphers and suitable for extremely constrained environments such as RFID tags and sensor networks.

On the Classification of 4 Bit S-Boxes

All optimal 4 bit S-boxes are classified and it is shown that an S-box which is optimal against differential and linear attacks is always optimal with respect to algebraic attacks as well.