faster attacks on full gostfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdffaster attacks...
TRANSCRIPT
![Page 1: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/1.jpg)
Faster Attacks on Full GOST
Nicolas T. CourtoisUniversity College London, UK
2216
21852178
219222252224
FSE2011
FSE2012
2011/626
![Page 2: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/2.jpg)
Faster Attacks on GOST
Courtois FSE 20122
New Group:
PLEASE JOIN!
![Page 3: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/3.jpg)
Faster Attacks on GOST
Courtois FSE 20123
Russian Subtitles On:
code breakers ==
взломщики кодов
![Page 4: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/4.jpg)
Faster Attacks on GOST
Courtois FSE 20124
GOST Cipher
трудновскрываемый шифр
![Page 5: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/5.jpg)
Faster Attacks on GOST
Courtois FSE 20125
BEWARE
I’m going to cheat you and totally ignore
the large data complexity of many attacks…
⇒ just compare the running time
![Page 6: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/6.jpg)
Faster Attacks on GOST
Courtois FSE 20126
GOST Block Cipher
It is NOT correct to compare GOST to DES.– 256 bits key = a military level of security– a former "Top Secret" government algorithm used by
major banks etc…– not a commercial algorithm like DES…
– DES was “breakable” from day 1 » due to reduced key space = 56 bits
– DES could be used ONLY for unclassified documents. In contrast:
– GOST “does not place any limitations on the secrecy level of the protected information”
• cf. preface to English translation of GOST, by Aleks. Malchik and Whit Diffie
![Page 7: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/7.jpg)
Faster Attacks on GOST
Courtois FSE 20127
GOST in ISO
• In 2010 GOST was also submitted to ISO to become an international standard.
• In the mean time GOST was broken…– plethora of new attacks…
![Page 8: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/8.jpg)
Faster Attacks on GOST
Courtois FSE 20128
Black-Box Algebraic
Complexity Reduction
![Page 9: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/9.jpg)
Faster Attacks on GOST
Courtois FSE 20129
Black Box Complexity Reduction Paradigm [Courtois 2011]
Black-box high-levelguess and determine methods which transforman attack on 32 rounds of GOST
into an attack on e.g. 8 rounds of GOST with much less data.
![Page 10: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/10.jpg)
Faster Attacks on GOST
Courtois FSE 201210
Reductions
• Given 2X KP for the full 32-round GOST.• Obtain Y KP for 8 rounds of GOST.• This valid with probability 2-Z. • For a proportion 2-T of GOST keys.
Two examples were given on Monday.
As many 18 distinct reductions of this type with a large variety of 2X,Y, 2-Z, 2-T
can be found ateprint/2011/626
![Page 11: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/11.jpg)
Faster Attacks on GOST
Courtois FSE 201211
Black-Box Complexity Reduction - Already Known?
Slide / Fixed Point / Cycling / Guess-Det. / Involution / Etc..
WHAT’S NEW? • There are now many completely new attacks
which are exactly none of the above [though similar or related].• Many of these attacks were never studied
because they generate only a few known plaintexts, and only in the last 5 years it became possible to design an appropriate last step for these attacks which is a low-data complexity key recovery e.g.
– software algebraic attack– MITM attack, also gets highly non-trivial as seen on Monday…
![Page 12: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/12.jpg)
Faster Attacks on GOST
Courtois FSE 201212
One Example of Black Box Reduction
![Page 13: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/13.jpg)
Faster Attacks on GOST
Courtois FSE 201213
Appears in Cryptologia, Issue 1, 2012
not
similar
![Page 14: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/14.jpg)
Faster Attacks on GOST
Courtois FSE 201214
Which Attacks on GOSTAre Now The Fastest?
![Page 15: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/15.jpg)
Faster Attacks on GOST
Courtois FSE 201215
A Very Weird Attack
In eprint/2011/626, Fact 23, page 41.
With probability 2-32 over the 256-bit keys,they key can be recovered in time of 2154.
Observe that 232 x 2154 = ONLY 2186
< 2192 [FSE 2012]
![Page 16: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/16.jpg)
Faster Attacks on GOST
Courtois FSE 201216
Compare:
Courtois Attacks 2011/626
Dinur-Dunkelman-Shamir FSE 2012
2216
Fact 12
63 %
2216
Fact 13
another 63 %2192
2154
Fact 23
2-32
2121
Fact 27
2-64
![Page 17: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/17.jpg)
Faster Attacks on GOST
Courtois FSE 201217
what if we CAN do 2186 computations but not more
Courtois Attacks 2011/626
Dinur-Dunkelman-Shamir FSE 2012
2216
Fact 12
63 %
2216
Fact 13
another 63 %2192
2154
Fact 23
2-32
2121
Fact 27
2-64
WORKSfinds 1 keyout of 232
FAILS�
![Page 18: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/18.jpg)
Faster Attacks on GOST
Courtois FSE 201218
Conclusion:
Single Key Attacksdo NOT capture
realistic attacks with random and uniformly distributed keys
![Page 19: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/19.jpg)
Faster Attacks on GOST
Courtois FSE 201219
Last But Not Least
![Page 20: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/20.jpg)
Faster Attacks on GOST
Courtois FSE 201220
Latest Attack on GOST [March 2012]
![Page 21: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/21.jpg)
Faster Attacks on GOST
Courtois FSE 201221
Most Recent Attack
• a true single key attack.• based on sets of differentials.• T = 2178, better than any previous.• submitted to eprint last week.
![Page 22: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/22.jpg)
Faster Attacks on GOST
Courtois FSE 201222
How To Find Such An Attack
Best differential property we ever found was found BY HAND.
Is systematic approach possible?
![Page 23: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/23.jpg)
Faster Attacks on GOST
Courtois FSE 201223
Our Attack = Graph Walks With Costs
![Page 24: Faster Attacks on Full GOSTfse2012rump.cr.yp.to/9c19b743f2434a74b3a0d3e281b52b01.pdfFaster Attacks on Full GOST Nicolas T. Courtois University College London , UK 2216 2185 2178 2192](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f099a6a7e708231d4279fa2/html5/thumbnails/24.jpg)
Faster Attacks on GOST
Courtois FSE 201224
Remark:
• the structure of this graph does NOT depend on the S-boxes
• only costs (probabilities) depend on the S-boxes