Post on 05-Aug-2020
transcript
GOST GOST2 Attacks Summary
Cryptanalysis of GOST2:
Can Updated Key Schedule
Solve all of GOST’s Problems?
Orr Dunkelman(joint work with Achiya Bar-On and Tomer Ashur)
University of Haifa
June 29, 2016
Orr Dunkelman Cryptanalysis of GOST2 1/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
History of the GOST Block Cipher
◮ GOST 28147-89 defined a block cipher (A.K.A. Magmathese days)
◮ 64-bit block, 256-bit key
◮ 32-round Feistel
◮ With different secret S-boxes for each industry (a fewleaked)
Orr Dunkelman Cryptanalysis of GOST2 2/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
The GOST Block Cipher
✛✛
✛
✛
✛
✛
✛
✛
✛
✛
S1
S2S3
S4S5
S6S7
S8
✛≪ 11✛✐
✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥
❵❵❵❵❵❵❵❵❵❵
❵❵❵❵❵❵❵❵❵❵
❄
SKr
Orr Dunkelman Cryptanalysis of GOST2 3/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
The GOST Key Schedule
◮ The key schedule takes a 256-bit key (eight 32-bit words— K0,K2,K3, . . . ,K7) and uses them according to:
K0 K1 K2 K3 K4 K5 K6 K7
K0 K1 K2 K3 K4 K5 K6 K7
K0 K1 K2 K3 K4 K5 K6 K7
K7 K6 K5 K4 K3 K2 K1 K0
◮ The descending order — probably to defeat slide attacks
Orr Dunkelman Cryptanalysis of GOST2 4/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
Attacks on GOST (Short and Partial History)
◮ Related-key differential attacks on reduced-round GOST(specific S-boxes) [KSW96]
◮ Chosen-key S-box recovery attacks [S99]
◮ Related-key differential attacks on reduced-round GOST[KS00]
◮ Related-key differential attacks on full GOST [K+04]
◮ Slide attacks on first 24 rounds [BW00]
◮ Slide attacks on full GOST for a weak key class of 2128
keys [BW00]
◮ Slide attacks on first 30 rounds [BDK07]
Orr Dunkelman Cryptanalysis of GOST2 5/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
Attacks on GOST (Short and Partial History)
Attack Data Memory Time S-boxesReflection [I11] 232CP 264 2224 BijectiveFixed point/Algebraic [C11] 264KP 264 2248 Russian BanksDifferential [CM11] 264KP 264 2226 Russian BanksFixed point [DDS12] 264KP 236 2192 anyFixed point [DDS12] 264KP 219 2204 anyReflection [DDS12] 232KP 236 2224 anyReflection [DDS12] 232KP 219 2236 any
Orr Dunkelman Cryptanalysis of GOST2 6/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
Very Quick Summary of the Reflection Attack
◮ Assume that at the entrance to round 25, theintermediate encryption value is (x , x)
◮ Then round 25 cancels round 24, round 26 cancelsround 23, etc.
+SR⊕
+SR⊕x x
x
x
K7
K7
y
y
x
x
x ⊕ y
x ⊕ y
Orr Dunkelman Cryptanalysis of GOST2 7/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
Very Quick Summary of the Reflection Attack
◮ Isobe noticed that for a reflection point, the intermediateencryption value after 16 rounds is equal to the ciphertext
◮ This allows for attacking 16-round GOST (using meet inthe middle, or any attack you wish for)
Orr Dunkelman Cryptanalysis of GOST2 8/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
ISO SC27 (Parallel Work)
◮ The Russian federation has submitted GOST (Magma)for standardization in 2010 to ISO SC27 (18033)
◮ Several issues spotted:◮ S-boxes were not defined◮ Related-key attacks
◮ By the time they were “addressed”, Isobe’s attack cameout
Orr Dunkelman Cryptanalysis of GOST2 9/ 24
GOST GOST2 Attacks Summary Definition Attacks Standardization
In Mother Russia, Cipher Encrypts You!
◮ Following the failure of standardizing GOST, a new cipherwas suggested
◮ Kuznyechik (Grasshopper) — 128-bit block, 256-bit keySPN
◮ Secret design process◮ Interesting properties revealed by [BP15,BPU16] about
how the S-box was designed◮ And then came a new proposal. . .
Orr Dunkelman Cryptanalysis of GOST2 10/ 24
GOST GOST2 Attacks Summary Specs Claims
The GOST2 Block Cipher
◮ Dmukh, Dygin, and Marshalko offered a variant of GOSTon eprint report 2015/065
◮ Two main changes with respect to GOST:◮ S-boxes are fully specified◮ Key schedule changed to:
K0 K1 K2 K3 K4 K5 K6 K7
K3 K4 K5 K6 K7 K0 K1 K2
K5 K6 K7 K0 K1 K2 K3 K4
K6 K5 K4 K3 K2 K1 K0 K7
Orr Dunkelman Cryptanalysis of GOST2 11/ 24
GOST GOST2 Attacks Summary Specs Claims
The Security Claims
Both Isobe and Dinur-Dunkelman-Shamir attacks exploit thereflection property for the last 16 iterations. For the proposedalgorithm the probability of the corresponding event isnegligible: P{K0 = K2 = K4 = K6,K1 = K3 = K5 = K7)} =2−192 (if keys are selected at random).
The first Dinur-Dunkelman-Shamir method works ifK0 = K2 = K4 = K6 = K1 = K3 = K5 = K7. The probabilityof such event is 2−224.
Since the new key schedule could be represented as aconcatenation of different shifts of (K0, . . . ,K7), 2-GOST(together with original GOST) is subjected to related-keyattacks. At the same time, such attacks are difficult forpractical implementation, since the probabilities of relationsare negligible (see, for example, [5]), when keys are selectedrandomly.
. . . Eprint report 2015/065
Orr Dunkelman Cryptanalysis of GOST2 12/ 24
GOST GOST2 Attacks Summary Specs Claims
The Security Claims
Orr Dunkelman Cryptanalysis of GOST2 13/ 24
GOST GOST2 Attacks Summary Reflection Fixed
A Reflection Property for GOST2 (Weak Key
Class)
◮ Consider the key schedule of rounds 18–31, whenK5 = K6:
K5 K6 K7 K0 K1 K2 K3 K3 K4 K4
K6 K6 K5K5 K4 K4 K3 K3 K2 K1 K0 K7
◮ Hence, if the intermediate encryption value after 25rounds is (x , x), the ciphertext is equal to the value after18 rounds
Orr Dunkelman Cryptanalysis of GOST2 14/ 24
GOST GOST2 Attacks Summary Reflection Fixed
A Reflection Attack on GOST2 (Weak Key Class)
Require: 232 pairs of known plaintexts and ciphertexts - {Pi ,Ci}.
for S3,K5 = K6 do
for (Pi ,Ci),K0 do
K1,K2 ← Solve(Pi , S3,K0)S13 ← R−1
SK13(R−1
SK14(R−1
SK15(R−1
SK16(R−1
SK17(Ci = S18)))))
T [S13]← (Pi ,K0,K1,K2)end for
for K3,K4,K7 do
S13 ←RSK12(RSK11(RSK10(RSK9(RSK8(RSK7(RSK6(RSK5(RSK4(RSK3(S3))))))))))(Pi ,K0,K1,K2)← T [S13]TRY(K0,K1,K2,K3,K4,K5,K6,K7)
end for
end for
Orr Dunkelman Cryptanalysis of GOST2 15/ 24
GOST GOST2 Attacks Summary Reflection Fixed
A Reflection Attack on GOST2 (Weak Key Class)
P Rounds 0–2
K0,K1,K2
K0 K1,K2
S3
S3Rounds 3–12
K3, . . . ,K12
K3,K4, . . . ,K7
S13Rounds 13–17
K13, . . . ,K17
C
K0,K1,K2,K5 “ K6
S13
Rounds 18–24
K18, . . . ,K24
L25 “ R25
S25Rounds 25–31
K25, . . . ,K31
C
◮ Data complexity: 232 KPs
◮ Memory complexity: 264 blocks
◮ Time complexity: 2192
◮ Weak Key Size: 2224
◮ Attack can be transformed into an impossible reflectionattack for all other keys (data increased to 264, saves afactor of 5.4 on exhaustive search)
Orr Dunkelman Cryptanalysis of GOST2 16/ 24
GOST GOST2 Attacks Summary Reflection Fixed
A Fixed Point Property for GOST2
◮ Consider the key schedule of rounds 10–22:
K3 K4 K5 K6 K7 K0 K1 K2
K5 K6 K7 K0 K1 K2 K3 K4
◮ The keys of rounds 10–15 are the same as 16–21
◮ Hence, a fixed point of rounds 10–15 is a fixed point forrounds 10–21
Orr Dunkelman Cryptanalysis of GOST2 17/ 24
GOST GOST2 Attacks Summary Reflection Fixed
A Fixed-Point Attack on GOST2
Require: 264 pairs of known plaintexts and ciphertexts.for (Pi ,Ci ), SK0, SK1, SK2, SK7 do
S28 ← R−1SK28
(R−1SK29
(R−1SK30
(R−1SK31
(Ci ))))S3 ← RK2(RK1(RK0(Pi )))T [S3||S28]← (K0,K1,K2,K7)
end for
for S10 = S16 = S22,K3,K4,K5,K6,K7 do
S13 ← RSK12(RSK11(RSK10(S10)))for K0[0–11],K2[0–11],K1[10] do
(K0[0–11],K1[12–19],K2[0–11])←SOLVE(S16, S13,K0[0–11],K2[0–11],Carry)
end for
S3 ← R−1SK3
(R−1SK4
(R−1SK5
(R−1SK6
(R−1SK7
(R−1SK8
(R−1SK9
(S10)))))))S28 ← RSK27(RSK26(RSK25(RSK24(RSK23(RSK22(S22))))))(K0,K1,K2,K7)← T [S3||S28]Filter(K0,K1,K2,K7)TRY(K0,K1,K2,K3,K4,K5,K6,K7)
end forOrr Dunkelman Cryptanalysis of GOST2 18/ 24
GOST GOST2 Attacks Summary Reflection Fixed
A Fixed-Point Attack on GOST2
P Rounds 0–2
K0,K1,K2
K0,K1,K2
P S3
S3
S3Rounds 3–9
K3, . . . ,K9
K3, . . . ,K7
S10
XRounds 10–15
K10, . . . ,K15
S16
X
K0r0-11s,K2r0-11sK1r12-19s
X X X
Rounds 16–21
K16, . . . ,K21
S22
XRounds 22–27
K22, . . . ,K28
K3, . . . ,K7
Rounds 28–31
K28, . . . ,K31
C
K7, . . . ,K2
CS28
S28
◮ Data complexity: 264 KPs
◮ Memory complexity: 2160 blocks
◮ Time complexity: 2237
We are working on reducing memory consumption.
Orr Dunkelman Cryptanalysis of GOST2 19/ 24
GOST GOST2 Attacks Summary
Summary
◮ New GOST2 does not offer full security againstfixed-point and reflection attacks
◮ Same related-key attacks can be applied (includingcomplementation property)
◮ Simple ways to handle these issues exist
Orr Dunkelman Cryptanalysis of GOST2 20/ 24
GOST GOST2 Attacks Summary
Summary of Attacks
Type of attack Time Data Memory No. of keys(blocks)
Fixed point 2237 264KP 2160 AllReflection 2192 232KP 264 2224
Impossible reflection 2253.56 263CP 2160 2256 − 2224
Impossible reflection 2254.56 264KP 2160 2256 − 2224
Orr Dunkelman Cryptanalysis of GOST2 21/ 24
GOST GOST2 Attacks Summary
Some Aftermath
◮ We posted our results (not including some optimizationswe now have) on eprint (report 2016/532)
◮ And we got an interesting email from Grigory Marshalko:
. . . It was clear from the very beginning that with
such a slight change of the key schedule it would be
impossible to fully protect the cipher from these
attacks since the reflection property still exists.
Nevertheless the figures you obtained shows that it is
really possible to mitigate the security threats in a
way. . . .
Orr Dunkelman Cryptanalysis of GOST2 22/ 24
GOST GOST2 Attacks Summary
Summary 2
Wait!
◮ The security analysis does not really say that there are noshortcut attacks
◮ It just implies that fact
◮ and the designer admits they assumed security will not beperfect
◮ Let’s leave the conspiracy theorists what they think ofthat. . .
Orr Dunkelman Cryptanalysis of GOST2 23/ 24
GOST GOST2 Attacks Summary
Questions?
Thank you
for your Attention!
Orr Dunkelman Cryptanalysis of GOST2 24/ 24