Enhanced truncated differential cryptanalysis of GOST

Abstract

GOST is a well-known block cipher implemented in standard libraries such as OpenSSL, it has extremely low implementation cost and nothing seemed to threaten its high 256-bit security [CHES 2010]. In 2010 it was submitted to ISO to become a worldwide industrial standard. Then many new attacks on GOST have been found in particular some advanced differential attacks by Courtois and Misztal with complexity of 2179 which are based on distinguishers for 20 Rounds. In July 2012 Rudskoy et al claimed that these attacks fail when the S-boxes submitted to ISO 18033-3 are used. However, the authors failed to consider that these attacks need to be re-optimized again for this set of S-boxes. This is difficult because we have exponentially many sets of differentials. In this paper we present a basic heuristic methodology and a framework for constructing families of distinguishers and we introduce differential sets of a special new form dictated by the specific regular structure of GOST. We look at different major variants of GOST and we have been able to construct a distinguisher for 20 round for CryptoParamSetA and similar results for the new version of GOST submitted to ISO which is expected to be the strongest (!). Therefore there is absolutely no doubt that these versions of GOST are also broken by the same sort of attacks.