20
GOST (Russian: ГОСТ) is a set of technical standards originally developed by the government 21
of the Soviet Union as part of its national standardization strategy, now maintained by the 22
Euro-Asian Council for Standardization, Metrology and Certification (EASC), a regional standards 23
Figure 3.7: The GOST Round Function 𝑆0 𝑆1 𝑆2 𝑆3 𝑆4 𝑆5 𝑆6 𝑆7 ⋘11 𝑅𝑖 XOR to𝐿𝑖 𝑘𝑖
organization operating under the auspices of the Commonwealth of Independent States (CIS). 1
GOST is an acronym ofgosudarstvennyy standart(Russian: государственный стандарт), which 2
simply meansstate standard. 3
Standard GOST 28147-89 defines several cryptographic algorithms, among them an elliptic 4
curve based signature scheme and a block cipher. GOST 28147-89 is obligatory to use in the Rus- 5
sian Federation in all data processing systems providing public services. The original descrip- 6
tion of the algorithm is availablehere(in russian). A description in english of the encryption, 7
decryption, and MAC algorithms is found inRFC 5830. 8
In the rest of this document GOST simply denotes the block cipher. 9
Developed in the 1970s as a Soviet alternative to the US standard algorithm DES and originally 10
classified as “top secret,” the GOST Block Cipher was standardized in 1989, downgraded to 11
“secret” the following year, and finally declassified and disclosed in 1994. 12
GOST has a 64-bit block size and a key length of 256 bits. GOST is a balanced Feistel network 13
of 32 rounds. The round function, depicted in Figure3.7, is very simple: Let𝐿and𝑅be the left 14
and right 32-bit halves of the input to a round; add a 32-bit round key modulo232to𝑅; apply a 15
layer of eight 4-bit S-boxes; and rotate the result thereof left by11bits. The result of that is the 16
output of the round function, which is then XORed to𝐿. Then, as in DES,𝑅and𝐿are swapped. 17
The S-boxes of GOST are not fixed and for a specific application a new set of S-boxes can be cho- 18
sen. Also, they can be public or secret, and contain about354(log2((16!)8)) bits of information.
19
If they are secret, the total amount of secret material in the cipher is thus610bits. 20
The key schedule is very simple. The 256-bit key is broken into eight 32-bit subkeys, and each 21
subkey is used four times in the algorithm; the first 24 rounds use these subkeys in order, the 22
last 8 rounds use them in reverse order. This broken symmetry allows GOST to eschew slide 23
attacks. 24
3.4.1 Remarks
25
GOST is very similar to DES, however there are some significant differences: 26
(a) It is one of the first widely deployed ciphers to use 4-bit S-boxes. 27
(b) Since S-boxes can be chosen for specific applications, an implementation using just one S-box 1
could be effectively implemented in SW using bit-slicing. 2
(c) It uses a simple rotation instead of a more complicated permutation, does not have an ex- 3
pansion permutation. The consequence is that the avalanche effect is slower. This is offset 4
by the larger number of rounds. 5
(d) Alex Poschmann et al. [PLW10] revisit GOST and observe that its design makes it ideal for 6
low gate count HW implementations and good throughput. They use a single S-box (the 7
same S-box as PRESENT, Section3.29 on page 206), following recent design trends to use just 8
one good S-box instead of several random(ish) ones. Their performance results are reported 9
in Table 4.1 on page 237, where both GOST implemented with eight different S-boxes as 10
used by the Central Bank of Russian Federation (GOST-FB), and GOST with the PRESENT 11
S-Box eight times (GOST-PS) are measured. 12
It is also one of the earliest ciphers to combine bitwise XOR and modular addition – two mutu- 13
ally non-linear operations. This is a fundamental aspects of many subsequent cipher designs. 14
3.4.2 Cryptanalysis
15
Until about 2010 the cipher was considered very secure, and thus a good alternative to AES-256. 16
However, since 2010 several attacks have been published. The best undisputed cryptanalysis 17
is a differential attack what breaks the cipher with complexity2179[Cou12a] whereas with the 18
controversial XSL attack [CP02b] Nicolas Courtois claims that it is possible to attack GOST with 19
heuristic complexity2100(the time complexity of attacking AES-256 with the same methods is 20
claimed to2101). See also [Cou12b,Cou13]. 21
We mentioned that the GOST S-boxes are free to be be chosen for any specific application 22
and also kept secret. Their entropy is approximately 354 (log2((16!)8)) bits, so the effective
23
key size could, in theory, be increased to 610 bits; However, some care is necessary in the 24
implementation and protocols to avoid attacker’s access to an oracle where he can set a zero 25
key. Under this assumption, Markku-Juhani Saarinen has shown how to mount an attack (cf. 26
Subsectionsubsec:GOST-sbox-recovery) that recovers the contents of all the S-boxes in time232. 27
Therefore the secrecy of the S-boxes does not increase the strength of the cipher in several sce- 28
narios. 29
3.4.3 Intellectual Property
30
We are not aware of any patents on the GOST block cipher. 31
3.4.4 Advantages and Disadvantages
32
It is a fast and small cipher, however there are concerns about its security. 33