256 Bit Standardized Crypto for 650 GE - GOST …...Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 3 Introduction GOST = GOvernment STandard государственный

256 Bit Standardized Crypto for 650 GE - GOST Revisited

A. Poschmann, S. Ling, and H. Wang

Axel PoschmannDivision of Mathematical Sciences, School of Physical and Mathematical Sciences

18 August 2010

Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010

Outline

• Introduction• GOST• How to choose a set of S-boxes?• Implementation Results• Conclusions

2

Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 3

IntroductionGOST = GOvernment STandard

государственный стандарт

In this talk we focus on GOST 28147-89

• GOST 28147-89:• Block cipher standardized in 1989• „Soviet cousin“ of DES• IETF draft• Discussed for inclusion in ISO 18033-3





• 21 years of cryptanalysis:• Related-key DC breaks 21 rounds /w 256 CP• Slide attack breaks 24 rounds /w 263 CP (30 when S-boxes are known)• Reflection attack on full-round GOST /w 232 CP and time 2192 (assumes bijective S-boxes, works only on 2224 keys)






• 21 years of cryptanalysis:• Related-key DC breaks 21 rounds /w 256 CP• Slide attack breaks 24 rounds /w 263 CP (30 when S-boxes are known)• Reflection attack on full-round GOST /w 232 CP and time 2192 (assumes bijective S-boxes, works only on 2224 keys)


2010 GOST is still secure!


Outline

• Introduction• GOST• How to choose a set of S-boxes?• Implementation Results• Conclusions

4

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST I

• 2 branch Feistel Network• 32 rounds• 64-bit block size• 256-bit key length• K=K0||K1||K2||K3||K4||K5||K6||K7

• No key schedule

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST I


• No key schedule

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST I


• No key schedule

Reverse Order!

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST II

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST II

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST II

S-boxes not specified!

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST II

S-boxes not specified!• Design goal: flexible security level (possibly security concerns)• Selection of S-boxes is part of key• 28·16! possible sets• => 354 additional key bits• But! set revealed by 232 chosen keys• No restrictions for S-boxes

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32


GOST II

S-boxes not specified!• Design goal: flexible security level (possibly security concerns)• Selection of S-boxes is part of key• 28·16! possible sets• => 354 additional key bits• But! set revealed by 232 chosen keys• No restrictions for S-boxes

Proper choice of S-boxes is crucial!


Outline

• Introduction• GOST•How to choose a set of S-boxes?• Implementation Results• Conclusions

7


A Proper ChoiceOne example are the S-boxes used by the Central Bank of Russian Federation



Another standard conform example is to use 8 times the PRESENT S-box




8 4

66664688

max DC

812121212121212

max SbW




8 4

66664688

max DC

812121212121212

max SbW

GOST-FB

GOST-PS


Outline

• Introduction• GOST• How to choose a set of S-boxes?•Implementation Results• Conclusions

9


Implementation Comments

• In RFID scenarios key is most likely fixed• store key in EEPROM etc• hardwire key• if key update needed• additional 256 FF required

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32


Implementation Results IUMCL18G212T3 library

S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

GOST-FB GOST-PS

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32



S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

GOST-FB GOST-PS

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32



S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

GOST-FB GOST-PS

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32



S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

<<11

>>11

GOST-FB GOST-PS

input

State R[Reg-4/32]

output

44 44

S-layer

controldone

counter[5bit]

4

+

State L[Reg-4/32]

4

4

32

32

32

>>11<<11

3232

4

k0

k1

k2

k3

k4

k5

k6

k7

4

4

4

NLFSR[3bit]

3

3

5

3reset

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32



S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

<<11

>>11

GOST-FB GOST-PS

input

State R[Reg-4/32]

output

44 44

S-layer

controldone

counter[5bit]

4

+

State L[Reg-4/32]

4

4

32

32

32

>>11<<11

3232

4

k0

k1

k2

k3

k4

k5

k6

k7

4

4

4

NLFSR[3bit]

3

3

5

3reset

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32



S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

<<11

>>11

GOST-FB GOST-PS

input

State R[Reg-4/32]

output

44 44

S-layer

controldone

counter[5bit]

4

+

State L[Reg-4/32]

4

4

32

32

32

>>11<<11

3232

4

k0

k1

k2

k3

k4

k5

k6

k7

4

4

4

NLFSR[3bit]

3

3

5

3reset

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32



S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

651GE

800GE

264 CLKserial264 CLKserial

<<11

>>11

GOST-FB GOST-PS

input

State R[Reg-4/32]

output

44 44

S-layer

controldone

counter[5bit]

4

+

State L[Reg-4/32]

4

4

32

32

32

>>11<<11

3232

4

k0

k1

k2

k3

k4

k5

k6

k7

4

4

4

NLFSR[3bit]

3

3

5

3reset

<<11 S-layer

Li

Ri

Ki

Ri+1

Li+1

32

32

32

3232

32



S

S

S

S

S

S

S

S

4

4

4

44

4

4

4

32 32

S1

S2

S3

S4

S5

S6

S7

S8

4

4

4

44

4

4

4

32 32

651GE

800GE

264 CLKserial264 CLKserial

1017 GE

1000 GE

32 CLKround32 CLKround

<<11

>>11

GOST-FB GOST-PS


Implementation Results II

0

500

1.000

1.500

2.000

2.500

3.000

3.500

PRINTcipher-48KTANTAN48

GOST-PS

KATAN48PRESENT

AES(tbp)

AES

PRINTcipher-96

8080

256160

80128128

80

GE

GOST-FB

256


Outline

• Introduction• GOST• How to choose a set of S-boxes?• Implementation Results•Conclusions

13


Conclusions

• First hardware implementation of GOST 28147-89• GOST 28147-89:• is standardized since 1989• survived 21 years of cryptanalysis• has a very compact hardware area footprint (651 GE)• has a key length of 256 bits


Conclusions

• First hardware implementation of GOST 28147-89• GOST 28147-89:• is standardized since 1989• survived 21 years of cryptanalysis• has a very compact hardware area footprint (651 GE)• has a key length of 256 bits

GOST seems to be suitable for low-cost yet high secure applications


Thank you!

Axel PoschmannDivision of Mathematical Sciences Nanyang Technological UniversitySPMS-MAS-04-20, 50 Nanyang AvenueSingapore 639798 T (65) 6513-7459 GMT+8h E [email protected] www.ntu.edu.sg/home/aposchmann/

Questions?

mailto:[email protected]

mailto:[email protected]

http://www.ntu.edu.sg/home/aposchmann/

http://www.ntu.edu.sg/home/aposchmann/

Documents

256 Bit Standardized Crypto for 650 GE - GOST …...Axel Poschmann 256 Bit Standardized Crypto for 650 GE - GOST revisited 18.08.2010 3 Introduction GOST = GOvernment STandard государственный