Improved Single-Key Attacks on 2-GOST

GOST, known as GOST-28147-89, was standardized as the Russian encryption standard in 1989. It is a lightweight-friendly cipher and suitable for the resource-constrained environments. However, due to the simplicity of GOST’s key schedule, it encountered reflection attack and fixed point attack. In order to resist such attacks, the designers of GOSTproposed a modification of GOST, namely, 2-GOST.&is new version changes the order of subkeys in the key schedule and uses concrete S-boxes in round function. But regarding single-key attacks on full-round 2-GOST, Ashur et al. proposed a reflection attack with data of 232 on a weak-key class of size 2224, as well as the fixed point attack and impossible reflection attack with data of 264 for all possible keys. Note that the attacks applicable for all possible keys need the entire plaintext space. In other words, these are codebook attacks. In this paper, we propose single-key attacks on 2-GOSTwith only about 232 data instead of codebook. Firstly, we apply 2-dimensional meet-in-themiddle attack combined with splice-cut technique on full-round 2-GOST.&is attack is applicable for all possible keys, and its data complexity reduces from previous 264 to 232. Besides that, we apply splice-cut meet-in-the-middle attack on 31-round 2-GOST with only data of 232. In this attack, we only need 8 bytes of memory, which is negligible.


Introduction
GOST block cipher [1] is known as GOST-28147-89 designed during the 1970s by the Soviet Union. It was standardized as the Russian encryption standard in 1989. As a lightweightfriendly block cipher, GOST is suitable for the resourceconstrained environments such as RFID tags and sensor nodes.
GOST's block size is 64 bits and key size is 256 bits. Round function adopts Feistel construction, in which there are a modular addition with subkey, 8 S-boxes and one rotation operation. However, the S-boxes used in GOST are not specified in the standard document. Each industry can use its own secret favored set of S-boxes to enhance the security of GOST. For example, the S-boxes used in the Central Bank of the Russian Federation is known in [2]. Besides that, the key schedule of GOST is extremely simple. 256-bit master key is divided into eight 32-bit words; then the 32-bit subkeys used in different round functions directly extract from these 8-word keys according to a special order.
Due to the simplicity of GOST's key schedule, two attacks on full-round GOST were published by Isobe in [3] and Dinur et al. in [4] in 2011. In [3], Isobe combined the reflection property and meet-in-the-middle (MITM) attack to propose the single-key attack on full-round GOST. As a result, the key can be recovered with 2 224 computations and 2 32 known plaintexts. In [4], Dinur et al. introduced a new fixed point property as well as a better way to improve the attacks on full-round GOST. Given 2 32 data, the memory complexity can reduce from 2 64 to 2 36 with the same time complexity 2 224 . Given 2 64 data, the time complexity can be down to 2 192 . Although these attacks are not practical, they indicate the a priori in security of GOST. In order to resist reflection attack and fixed point attack, the designers of GOST proposed a modification of GOST block cipher, named, 2-GOST [5]. In the new modification, there are two differences from original GOST. Firstly, the authors retained the same principle for key schedule as in GOST but changed the order of subkeys against existed attacks. Secondly, two concrete S-boxes were specified in the design document of 2-GOST for convenient cryptanalysis and better implementation.
Unfortunately, full-round 2-GOST still encounters reflection attack and fixed point attack. At FSE'17, Ashur et al. [6] proposed single-key attacks on it. Given 2 32 data, the key can be recovered with 2 192 computations by reflection attack. However, this attack only works for 2 224 out of 2 256 possible keys, which means this is a weak-key attack. For sake of valid for all possible keys, the authors proposed impossible reflection attack and fixed point attack. Both need 2 64 known plaintexts. In other words, these are codebook attacks, since they use the entire plaintext space. ese results are summarized in Table 1.
In this paper, our motivation is to propose attacks on 2-GOST with about 2 32 data instead of codebook, further to indicate that the key schedule in modification version 2-GOST is not a good choice yet. Our contributions are summarized as follows: 2-dimensional MITM attack on full-round 2-GOST 2-dimensional MITM attack was proposed by Zhu and Gong in [7] to attack KATAN. en, it has been applied on TWINE [8], GOST [4], and so on. is attack can improve the performance of general MITM attack, but attackers must be careful about the time complexity of accessing tables. In this paper, we apply 2-dimensional MITM attack combined with splice-cut technique [9] on full-round 2-GOST exploiting the weakness in key schedule. is attack is applicable for all possible keys with time complexity of 2 252 full-round encryptions and memory complexity of 2 228 bytes. Furthermore, the data reduced from previous 2 64 (codebook) to 2 32 chosen plaintexts under single-key setting. e result is shown in Table 1. Splice-cut MITM attack on 31-round 2-GOST Based on some observations on key schedule and modular addition in the round function of 2-GOST. We apply MITM attack combined with splice-cut technique on reduced 31-round 2-GOST (0 ∼ 30 rounds). is attack is applicable for all possible keys with data complexity of 2 32 chosen plaintexts and time complexity of 2 252.9 full-round encryptions. It is important to stress that we only use 8-byte memory in this attack which is negligible. e result is shown in Table 1.
is paper is organized as follows. In Section 2, we introduce the specifications of GOST and 2-GOST. en, in Section 3, we briefly describe the general MITM attack, splice-cut MITM attack, and 2-dimensional MITM attack. In Sections 4 and 5, we propose the 2-dimensional MITM attack on full-round 2-GOST and splice-cut MITM attack on 31-round 2-GOST, respectively. Lastly, we summarize this paper in Section 6.

Specifications of GOST and 2-GOST
GOST [1] is a bit-wise lightweight block cipher proposed by the Soviet Union. Its block size is 64 bits, key size is 256 bits, and total rounds are 32. GOST adopts Feistel construction as its round function, in which there are a nonlinear layer composed of eight bijective 4-bit S-boxes S i , i � 0, 1, . . . , 7 and a linear layer only containing a left rotation ⋘11. Especially, subkeys are mixed with internal state by modular addition ⊞ instead of traditional XOR. Please see the round function depicted in Figure 1. e S-boxes S i : F 4 2 ⟶ F 4 2 , i � 0, 1, . . . , 7 used in GOST are bijective but not specified in the standard document. Each industry can choose its own secret favored set of S-boxes to enhance the security of GOST. Please refer to an example, the S-boxes used in the Central Bank of the Russian Federation in [2].
2-GOST [5] is the modified version of GOST. It was proposed by the same designers of GOST for the purposed of fixing weaknesses in key schedule against reflection attack and fixed point attack. e differences between 2-GOST and GOST are selection of S-boxes and the order of subkeys in the key schedule. Unlike uncertain S-boxes used in GOST, 2-GOST adopts two concrete bijective S-boxes. Since we only use the bijective property of S-box in this paper, we omit the specification of S-box here. Besides that, 2-GOST uses another order of subkeys comparing with GOST, which is summarized in Table 3.

General MITM Attack.
e general MITM attack has two phases, one is the MITM phase and the other one is the brute-force testing phase.
Assume an n-bit block cipher E with k-bit secret key K is divided into two subciphers E 1 , E 2 , while K is divided into three key parts K 1 , K 2 , and K 3 . K 1 is only used in E 1 and K 2 is only used in E 2 and K 3 is the rest of K. e framework of general MITM attack is shown in Figure 2 and the steps of this attack is summarized as follows.
(1) For each possible K 3 , guess each possible K 1 , then compute v � E 1 (P), and store all possible K 1 into a table S indexed by v. (2) For each possible K 2 , compute the v ′ � E − 1 2 (C), then access the v ′ -th entity of table S to extract K 1 . Current (K 1 , K 2 , and K 3 ) is a candidate key.
(ii) Brute-force testing phase: (1) Test every candidate key with other plaintext/ ciphertext pairs until only the right key is remained.
After the MITM phase, we get 2 k− n � 2 |K 1 |+|K 2 | /2 n × 2 |K 3 | candidate keys. In brute-force testing phase, the attacker exhaustively searches the true key by using extra plaintext/ciphertext pairs. Finally, the time complexity C comp of the attack in total is e required plaintext/ciphertext pairs is k/n, while the memory cost is min(2 |K 1 | , 2 |K 2 | ) memory blocks. Note that the "Partial Matching" technique [9] can be used to improve the performance of some MITM attacks. In such case, the matching point (v, v ′ ) is only l bits instead of n bits, so some bits of key in K 1 , K 2 , and K 3 need not be involved in.

Splice-Cut MITM Attack.
In the chosen plaintext and chosen ciphertext settings, the first and the last rounds of the block cipher can be regarded as two successive rounds. Aoki and Sasaki applied splice-cut technique into MITM attack [9].
Assume an n-bit block cipher E with k-bit secret key K is divided into three subciphers E 1 , E 2 , and E 3 , while K is divided into three key parts K 1 , K 2 , and K 3 . K 1 is only used in E 1 and E 3 , K 2 is only used in E 2 , and K 3 is the rest of K. e framework of splice-cut MITM attack is shown in Figure 3, and the steps of the attack are summarized as follows: (i) MITM phase: For each possible K 3 , then access the v ′ -th entity of table S to extract K 1 . Current (K 1 , K 2 , K 3 ) is a candidate key.
(iii) Brute-force testing phase: (1) Test every candidate key with other plaintext/ ciphertext pairs until only the right key is remained.
e time and memory complexities are same as those in general MITM attack. However, the data complexity depends on E 1 and K 1 . Assume that m bits of plaintext P are not affected by K 1 when we compute P � E − 1 1 (P ′ ); we can fix such m bits of plaintext as a constant in advance and then choose suitable P ′ . As a result, the data complexity is 2 n− m .

Dimensional MITM Attack.
is attack was proposed in [7]. It is suitable to attack ciphers whose key size is larger than block size.
Assume an n-bit block cipher E with k-bit secret key K is divided into four subciphers E 1 , E 2 , E 3 , and E 4 . Key part K i is used in subcipher E i , i � 1, 2, 3, 4. e framework of 2dimensional MITM attack is shown in Figure 4 and the steps of the attack is summarized as follows.
(i) MITM phase: (1) For each possible K 1 , compute v 1 � E 1 (P), and put K 1 into table S 1 indexed by the value of v 1 ;     Table  3: Key schedule of 2-GOST.
is also in table S 3 . If true, current (K 1 , K 2 , K 3 , K 4 ) is a candidate key.
(ii) Brute-force testing phase: (1) Test every candidate key with other plaintext/ ciphertext pairs until only the right key is remained.
For each possible value of a, there are 2 k− |v 1 |− |v 2 | candidate keys remained. After the MITM phase, we totally get 2 |a| × 2 k− |v 1 |− |v 2 | � 2 |a|+k− |v 1 |− |v 2 | candidate keys. In brute-force testing phase, the attacker exhaustively searches the true key by using extra plaintext/ciphertext pairs. Finally, the time complexity C comp of the attack in total is (2) In such attack, the data complexity is k/n, while the memory complexity happens to store tables S i , i � 1, 2, 3.
Remark. In the 2-dimensional MITM attack model, the time of accessing tables is omitted in step 3b. However, it is much possible to be the main time complexity in some attacks. For example, Wen et al. indicated in [11] that the actual time complexity of 2-dimensional MITM attack on TWINE proposed in [8] exceeded the brute-force time. So in our attack on 2-GOST, we will take this part time into consideration.

2-Dimensional MITM Attack on Full-Round 2-GOST
In this section, we apply 2-dimensional MITM attack combined with splice-cut technique on full-round 2-GOST. Before formally introducing the attack, we firstly illustrate how to decide the partial matching (meeting) point.
(2) Guess each possible K 4 , compute the value of (X L 25 , (c) For each compatible K 3 ∪ K 4 from step 3b, access table S 3 by index. If K 3 ∪ K 4 is compatible with K 1 ∪ K 2 , current K 1 ∪ K 2 ∪ K 3 ∪ K 4 is a candidate key. Test the candidate key with other plaintext/ ciphertext pairs.

MITM Attack on 31-Round 2-GOST
2-GOST is a modified version of GOST by changing the key schedule to avoid reflection attack and fixed point attack. In this section, we apply the general MITM attack combined with splice-cut technique on 31-round 2-GOST due to the new order of subkeys. By analyzing the key schedule of 2-GOST, we observe the fact that K 1 has no chance to be used from Round 2 to Round 13. On the other hand, K 7 has no chance to be used from Round 19 to Round 30 as well. Furthermore, Round 0 to Round 2 could be computed without K 7 . Based on those observations, we construct a MITM attack on the reduced 31-round 2-GOST. Figure 8 shows an overview of the attack.

Complexity Evaluation.
According to (2), in the MITM phase, the time complexity is about 2 248 × 2 4 14-round encryptions and 2 248 × 2 4 15-round encryptions, which is equal to 2 251.9 31-round encryptions. Meanwhile, in the brute-force testing phase, the time complexity is about 2 252 31-round encryptions. Totally, the time complexity of the whole attack is 2 251.9 + 2 252 ≈ 2 252.9 31-round encryptions. Since X L 0 [14 ∼ 11], X R 0 [31 ∼ 11], and X R 0 [6 ∼ 0] are not affected by K 1 � K 1 [31 ∼ 28] (depicted in Figure 10); these 32 bits of plaintext can be fixed in advance. erefore, the data complexity in MITM phase is 2 32 chosen plaintexts. Regarding the required memory, it mainly happens to build  Matching Matching : data affected by K 3 : data affected by K 4 Matching Matching : data affected by K 1 : data affected by K 2 is any value of K 1 in the v ′ -th entity of S. If so, current (K 1 , K 2 , K 3 ) is a candidate key.
(ii) Brute-force testing phase: (1) Test every candidate key with other plaintextciphertext pairs until only the right key is remained

Conclusion
In this paper, we improve the single-key attacks on 2-GOST, a modification of GOST, with data of 2 32 for all possible keys. Firstly, we apply 2-dimensional MITM attack combined with splice-cut technique on full-round 2-GOST. Its time and memory complexities are 2 252 encryptions and 2 223 256bit blocks, respectively. en, we apply splice-cut MITM attack on reduced 31-round 2-GOST. e time complexity is 2 252.9 encryptions and memory complexity is negligible. Note that these attacks are still not practical to be implemented, but they indicate that the key schedule in the modification version 2-GOST is not a good choice yet.

Data Availability
e data used to support the findings of this study are included within the article.

Security and Communication Networks 9
Conflicts of Interest e authors declare no conflicts of interest.