Rotational cryptanalysis was introduced by Khovratovich and Ni-kolic as a tool to analyse ARX-type cipher designs. GOST 28147-89 is a formerSoviet Union cipher standard based on a Feistel construction with 32 rounds.Its round function adds the round key modulo 232, transforms the result with4-to-4 bit S-boxes, and rotates the output. We apply the rotational cryptanalysisto GOST version that uses eight identical S-boxes, such as GOST-PS. We showthe existence of (practical) rotational distinguisher in related key model for fullGOST. Furthermore, there is a set of weak keys (rotationally symmetric keys)that enables rotational attacks in single-key model as well. Finally, we show asimple attack on last round that uses the rotational distinguisher to reduce thecomplexity of the full GOST (in average) to 208 bits.

Publié le : 2013-01-01
DOI : https://doi.org/10.2478/tatra.v57i0.237

@article{237,
     title = {Rotational cryptanalysis of GOST with identical S-boxes},
     journal = {Tatra Mountains Mathematical Publications},
     volume = {55},
     year = {2013},
     doi = {10.2478/tatra.v57i0.237},
     language = {EN},
     url = {http://dml.mathdoc.fr/item/237}
}

Zajac, Pavol; Ondroš, Michal. Rotational cryptanalysis of GOST with identical S-boxes. Tatra Mountains Mathematical Publications, Tome 55 (2013) . doi : 10.2478/tatra.v57i0.237. http://gdmltest.u-ga.fr/item/237/