Embed Size (px)
Citation preview
Information Processing Letters 113 (2013) 634–639
Contents lists available at SciVerse ScienceDirect
Information Processing Letters
www.elsevier.com/locate/ipl
A compress slide attack on the full GOST block cipher
Linzhen Lu ∗, Shaozhen Chen
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou Information Science and Technology Institute,Zhengzhou, 450002, China
a r t i c l e i n f o a b s t r a c t
Article history:Received 19 March 2013Received in revised form 22 May 2013Accepted 24 May 2013Available online 29 May 2013Communicated by V. Rijmen
Keywords:CryptographyBlock cipherGOSTCryptanalysisSlide attackCompress slide attack
Slide attacks are powerful tools that analyze iterated block ciphers with an arbitrarily largenumber of rounds by exploiting their self-similarity. But conventional techniques fail ifthere are unslid rounds in the middle of a slid sequence. This paper introduces a novelvariant of the slide attack, called the compress slide attack. This technique compressesseveral unslid rounds with a high probability in order to break ciphers with unslid roundsin the middle of a slid sequence. In particular, a compress slide attack on the full 32-roundGOST block cipher is presented. It can recover a key with a time complexity of about 2192
encryptions and 264 data.© 2013 Elsevier B.V. All rights reserved.
1. Introduction
Most of the modern block ciphers are constructed asan iterative algorithm of repeated keyed round functions.The security of such ciphers relies on the number ofrounds. As the speed of computers grows, some of en-cryption standard algorithms use more rounds, for exampleDES (16) [1], 3DES (48), GOST (32) [2], SMS4 (32) [3], ren-dering all currently known cryptanalytic techniques use-less. This is mainly due to the fact that many attacks onblock ciphers, such as differential cryptanalysis [4] and lin-ear cryptanalysis [5], are statistical and their effectivenessrapidly reduces as the number of rounds increases. Almostall of such approaches finally reach their limits.
There are only few attacks that are independent of thenumber of rounds. One of them is the slide attack pre-sented by Biryukov and Wagner in 1999 [6]. The slideattack constructs a slid sequence (several rounds of twoencryption processes are identical keyed permutations) by
* Corresponding author.E-mail address: [email protected] (L. Lu).
0020-0190/$ – see front matter © 2013 Elsevier B.V. All rights reserved.http://dx.doi.org/10.1016/j.ipl.2013.05.012
exploring self-similarity, then searches the given data for aslid pair which have identical input–output of the slid se-quence, finally analyzes the relation between the slid pairin order to derive some key material. The basic slide at-tack works on one-round self-similar ciphers, i.e., all roundkeys are identical. In 2000, Biryukov and Wagner pre-sented advanced slide attacks, namely the complementa-tion slide and sliding with a twist [7]. These variants allowfor treating slightly more complex round functions in theslide framework. Nevertheless, the previous slide attacksare only applicable to ciphers with self-similarity up to 4rounds, and if there is no unslid round in the middle ofa slid sequence. In 2005, Raphael C.-W. Phan presenteda new variant of the slide attack: the realigning slide at-tack [9]. This technique breaks DES variants by utilizingthe differential distribution of S-boxes. Up to now, it is stilldifficult to construct a long enough slid sequence to ana-lyze the full block cipher.
The GOST block cipher is a 64-bit block cipher pro-posed by the former Soviet Union, and equips eight secretS-boxes [2]. It is based on a 32-round Feistel structurewith 256-bit key size. Over the past decades, a numberof attacks on GOST have been published. Ko et al. showed
L. Lu, S. Chen / Information Processing Letters 113 (2013) 634–639 635
Table 1Slide attacks on the GOST.
Cipher Rounds Key bits Data Time Paper
GOST⊕ 20 256 233 270 [7]GOST 20 256 233 277 [16]GOST 24 256 263 263 [10]GOST 32 128 263 263 [10]GOST 30 256 ≈ 264 2253.7 [10]GOST 32 256 264 2192 This paper
GOST⊕: The key addition is replaced by exclusive OR.
a related-key differential attack on the full GOST [8].Fleischmann et al. presented a related-key boomerang at-tack on the full GOST [11] and Rudskoy modified it [12].Furthermore, Isobe published the first single key attack onthe full 32-round version of GOST [14], Courtois and Mis-ztal described a differential attack in 2011 [13], and Dinurintroduced a new fixed point property and found improvedattacks on the full GOST [15]. In particular, several slideattacks on GOST have been published. A slide attack on20-round GOST, in which the key addition is replacedby exclusive OR, was proposed by Biryukov and Wag-ner [7]. Biham et al. showed slide attacks on the reducedGOST [10]. If an attacker does not know the values of S-boxes, the 24-round GOST can be attacked. If the valuesare known, this attack can be improved up to 30-rounds.In addition, for a class of 2128 weak keys, the full GOST canbe attacked. After that, Dunkelman et al. proposed a mirrorslide attack on a reduced round variant of the GOST blockcipher that consists of the last 20 of its 32 rounds [16]. Inspite of considerable cryptanalytic efforts, a slide attack onthe whole GOST block cipher has not been published sofar.
In this paper, we first introduce a novel variant of theslide attack, called the compress slide attack. The core ideaof this attack is to compress several unslid rounds with ahigh probability to enhance the slide attack. If some roundfunctions are compressed, we can construct a long enoughslid sequence in order to attack on the full block cipher.Thus, our attack is applicable to ciphers with unslid roundsin the middle of a slid sequence. Then, we illustrate thisnew approach on the full GOST block cipher. As a result,we succeed in constructing a consecutive slid sequence forthe full GOST block cipher. It can recover a key with a timecomplexity of 2192 encryptions and 264 data. Our attackcan be applied to any S-boxes as long as they are bijective.A comparison between the previously published slide at-tacks on the GOST and our new attack is given in Table 1.
This paper is organized as follows. In Section 2, webriefly introduce basic slide attack and some variants.A detailed description of the compress slide attack is givenin Section 3. In Section 4, we present a compress slide at-tack on the full GOST block cipher. Finally, we summarizethis paper and outline a possible problem in relation toextending the slide attacks in Section 5.
2. The slide attacks
Slide attacks are developed in order to break iterativecryptosystem with an arbitrarily large number of rounds
Fig. 1. A typical block cipher.
Fig. 2. A basic slide attack.
by exploiting their self-similarity. In this section, we brieflydescribe the basic slide attack and some variants.
Let E be an r-round block cipher with n-bit block size,Fki be the i-th round function keyed by round subkey ki ,(P , C) be a plaintext and the corresponding ciphertext,Xi be the intermediate value of the block cipher after irounds of encryption, where i = 0, . . . , r, X0 = P , Xr = C .See Fig. 1.
The basic slide attack considers block ciphers with one-round self-similarity, i.e., each round function is identicalto the other. In this case, we drop the subscripts andsimply write F for the generic round function. So E =F ◦ F ◦ · · · ◦ F = F r . Let (P , C), (P ′, C ′) be known plaintext–ciphertext pairs for E . If we have a match X ′
0 = X1,then X ′
j = F (X ′j−1) = F (X j) = X j+1, for j = 1, . . . , r − 1. It
means that two plaintexts (P , P ′) satisfy P ′ = F (P ), thenciphertexts satisfy C ′ = F (C) as well. Such a pair is calleda slid pair [6]. See Fig. 2.
To find the concerning plaintext–ciphertext pairs, thenaive way is to collect arbitrary 2n/2 known plaintexts,where n is the block size. Thanks to the birthday para-dox, there exists such a slid pair with a high probability.The only requirement on the round function F is that it is“simple” enough, i.e., given two plaintext–ciphertext pairs,it is easy to deduce information about the key.
The basic slide attack works on one-round self-similarciphers. When the self-similarity consists of more complexrounds, then further advanced slid techniques have to beused. Complementation slide and sliding with a twist werepresented in [7]. The complementation slide amplifies two-round self-similarity into one-round self-similarity. The ba-sic idea is to slide two encryptions such that the slid se-quence, rather than being exactly identical to each other,have a constant difference. In this way, the plaintexts andciphertexts forming a slid pair are still related by oneunslid round. The sliding with a twist slides an encryp-tion with a decryption and is equally applicable to cipherswith two-round self-similarity. The two above techniquescan also be combined into the complementation slidingwith a twist to attack ciphers with up to four-round self-similarity.
When there are unslid rounds in the middle of a slidsequence, both the basic and advanced slide attacks wouldfail under this circumstance. In 2005, Raphael C.-W. Phanpresented a new variant of the slide attack, called realign-ing slide attack [9]. The realigning slide attack breaks DESvariants (including the full 16 rounds with the originalkey schedule for a fraction of all keys and tweaked keyschedules for almost all keys) with dissimilar rounds in the
636 L. Lu, S. Chen / Information Processing Letters 113 (2013) 634–639
Fig. 3. A slid sequence with one unslid segment.
Fig. 4. A slid sequence with two unslid segments.
middle of a slid sequence by utilizing the differential dis-tribution of S-boxes. In the next section, we present thebasic rationale of the compress slide attack, which is ap-plicable to ciphers with unslid rounds in the middle of aslid sequence.
3. The compress slide attack
The conception of “slide” is that one encryption processcopies another encryption process, so that two encryptionprocesses in a slid sequence are identical keyed permuta-tions. We propose a new slide framework called the com-press slide attack, which can attack on block ciphers withunslid rounds in the middle of a slid sequence.
Let E be an r-round block cipher with n-bit blocksize. Consider two encryption processes E , E ′ keyed byK , K ′ respectively. Denote the i-th round subkey gener-ated from K as ki , the other i-th round subkey gener-ated from K ′ as k′
i . Fki , Fk′i
be the i-th round function,and (P , C), (P ′, C ′) be a plaintext–ciphertext pairs for E, E ′ ,and Xi, X ′
i be the intermediate value after i rounds of en-cryption respectively, where i = 0, . . . , r, X0 = P , Xr = C ,X ′
0 = P ′ , X ′r = C ′ .
We first consider ciphers with one unslid segment inthe middle of a slid sequence. Without loss of general-ity, assume the first slid sequence is (Fk2 , . . . , Fki , Fk′
1, . . . ,
Fk′i−1
), i.e., the round 2 to i of the encryption process E
share common keyed round functions with round 1 to i −1of the encryption process E ′ , where 1 < i < r − 1. The sec-ond slid sequence is (Fki+1 , . . . , Fkr−1 , Fk′
i+2, . . . , Fk′
r). Nev-
ertheless, the conventional slide attacks are not applicablein this case since there are unslid round functions Fk′
iand
Fk′i+1
in the encryption process E ′ .If there exist intermediate values M1 satisfying
Fk′i+1
(Fk′i(M1)) = M1 with a certain probability p1, then
we can compress the r-round encryption process E ′ into(r − 2)-round encryption process with the probability p1.Thus we get a consecutive slid sequence constructed ofthe round 2 to r − 1 of the encryption process E and theencryption process E ′ with a probability p1. It is shown inFig. 3. The consecutive slid sequence can be used to mounta slide attack. We call it the compress slide attack due tocompressing the encryption process.
Then, we consider ciphers with two unslid segmentsin the middle of a slid sequence. Assume two encryptionprocesses contain three short slid sequences: (Fk2 , . . . , Fki ,
Fk′1, . . . , Fk′
i−1), (Fki+1 , . . . , Fk j , Fk′
i+1, . . . , Fk′
j), and (Fk j+1 ,
. . . , Fkr−1 , Fk′j+2
, . . . , Fk′r), where 1 < i < j < r − 1. There
are two unslid segments Fk′i
and Fk′j+1
in the encryption
process E ′ . If there exist intermediate values M1 satisfyingF ′
ki(M1) = M1 with a certain probability p1 and M2 satis-
fying F ′k j+1
(M2) = M2 with a certain probability p2, then
we also compress the r-round encryption process E ′ into(r − 2)-round encryption process, and get a consecutiveslid sequence. Fig. 4 illustrates this case.
In above different cases the probability is p1 and p1 p2respectively. In the following, we denote the probabilityby p. When the encryption process E ′ is compressed withthe probability p, there exists a consecutive slid sequencewhich is constructed of the encryption process E and E ′ .Due to the block size is n, from 1/p × 2n pairs (P , C) and(P ′, C ′) we expect to get one slid pair satisfying Fk1 (P ) =P ′ and Fkr (C ′) = C .
The compress slide attack consists of three stages:a data collection stage, finding the compressed slid pairand key testing stage. In the following, we explain eachstage.
Data collection stage: Firstly a concrete compressed slidsequence for a concrete cipher is ascertained. We collectpairs in order to obtain a pair satisfying the compressedslid consequence. The number of required pairs is corre-lated with the probability.
Finding the compressed slid pair: This stage seeks thecompressed slid pair from all pairs obtained in the datacollection stage and filters out part of wrong keys fromkey candidates by using compressed sliding techniques.
Key testing stage: We test surviving keys in a brute forcemanner by using plaintext–ciphertext pairs.
Above all, we must construct a concrete compressedslid consequence for a concrete block cipher and give thecompressed probability. In the next section, we show acompress slide attack on the full GOST block cipher.
4. Attack on the full GOST
The GOST block cipher [2] is known as the former So-viet encryption standard GOST 28147-89 which was stan-
L. Lu, S. Chen / Information Processing Letters 113 (2013) 634–639 637
Table 2Key schedule of GOST.
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Subkey k1 k2 k3 k4 k5 k6 k7 k8 k1 k2 k3 k4 k5 k6 k7 k8
Round 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32Subkey k1 k2 k3 k4 k5 k6 k7 k8 k8 k7 k6 k5 k4 k3 k2 k1
Fig. 5. A single round of GOST.
dardized as the Russian encryption standard in 1989. Overthe past decades, several slide attacks on GOST have beenpublished. But the results are to attack on reduced GOST orvariants. In this section, we first introduce the GOST blockcipher and features of two-round GOST. Next we present acompressed slid sequence of GOST and compress slide at-tack on the full GOST. Finally, we evaluate our attack.
4.1. Description of GOST
The GOST block cipher [2] is based on a 32-roundFeistel structure with 64-bit block and 256-bit key size.The round function F consists of a key addition, eight4 × 4-bit S-boxes and a 11-bit left rotation. The roundinput of round i + 1 is divided into two 32-bit words,Xi
L and XiR . Let Xi+1
L and Xi+1R be the output of round
i + 1, then Xi+1L = Xi
R , Xi+1R = Xi
L ⊕ (S(XiR �ki+1) ≪ 11) =
XiL ⊕ f (Xi
R � ki+1), where ⊕ is exclusive OR, S(∗) is eight4×4-bit S-boxes, � is addition modulo 232, ≪ is left rota-tion, f (∗) is a function consisted of eight 4 × 4-bit S-boxesand a left rotation, ki+1 is the (i + 1)-th round subkey. Thestructure of a single round of GOST is shown in Fig. 5.
The 256-bit master key K is divided into eight 32-bitwords, i.e., K = (k1,k2, . . . ,k8),ki ∈ {0,1}32. Each ki is usedas a round subkey in each round function as shown in Ta-ble 2.
In the GOST standard [2], the S-boxes are not specified.Each industry uses a different set of S-boxes. In this paper,we assume they are bijective.
Features of two-round GOST. The input of two-roundGOST is composed of two 32-bit words denoted by(Xi
L, XiR). The intermediate value after one-round encryp-
tion is denoted by (Xi+1L , Xi+1
R ). The output is denoted by
(Xi+2L , Xi+2
R ). The round subkeys are denoted by ki+1,ki+2.Then, Xi+1
L = XiR , Xi+1
R = XiL ⊕ f (Xi
R � ki+1), Xi+2L = Xi+1
R ,
Xi+2R = Xi+1
L ⊕ f (Xi+1R � ki+2), where f (∗) is a reversible
function consisted of eight 4 × 4-bit S-boxes and a left ro-tation. See Fig. 6.
Fig. 6. Two-round GOST.
Observation 1. Given the input (XiL, Xi
R) and output
(Xi+2L , Xi+2
R ) of two-round GOST, round subkeys ki+1 andki+2 can be easily obtained, and has unique solution re-spectively.
From the round function of GOST, Xi+2L = Xi+1
R = XiL ⊕
f (XiR �ki+1), then, f (Xi
R �ki+1) = XiL ⊕ Xi+2
L . Furthermore,Xi+1
L = XiR , and Xi+1
R = Xi+2L , then, Xi+2
R = Xi+1L ⊕ f (Xi+1
R �ki+2) = Xi
R ⊕ f (Xi+2L � ki+2), it means that f (Xi+2
L �ki+2) = Xi
R ⊕ Xi+2R . Given the values of Xi
L, XiR , Xi+2
L , and
Xi+2R , the values of ki+1 and ki+2 can be accurately ob-
tained since f (∗) is a reversible function.
Observation 2. Fix round subkeys ki+1 and ki+2, if the in-put (Xi
L, XiR) of two-round GOST is equal to the output
(Xi+2L , Xi+2
R ), there exists sole input value (XiL, Xi
R).
Similarly, f (XiR � ki+1) = Xi
L ⊕ Xi+2L , f (Xi+2
L � ki+2) =Xi
R ⊕ Xi+2R . If Xi
L = Xi+2L , Xi
R = Xi+2R , then, f (Xi
R �ki+1) = 0,f (Xi+2
L � ki+2) = 0, and the result follows.
4.2. A compressed slid sequence
Consider two encryption processes E , E ′ keyed by K , K ′respectively, where K ′ = K ≪ 32. K = (k1,k2, . . . ,k8),ki ∈{0,1}32, and K ′ = (k′
1,k′2, . . . ,k′
8),k′i ∈ {0,1}32. Then, k′
1 =k2, k′
2 = k3, k′3 = k4, k′
4 = k5, k′5 = k6, k′
6 = k7, k′7 = k8,
k′8 = k1. The round functions keyed by round subkey ki ,
k′i are denoted by Fki , Fk′
irespectively.
Let (P , C) and (P ′, C ′) be plaintext–ciphertext pairs forE and E ′ . Then, the encryption process of P under the keyK is
P → Fk1 Fk2 · · · Fk8 Fk1 Fk2 · · · Fk8 Fk1 Fk2 · · ·Fk8 Fk8 · · · Fk2 Fk1 → C .
The encryption process of P ′ under the key K ′ is
638 L. Lu, S. Chen / Information Processing Letters 113 (2013) 634–639
P ′ → Fk′1· · · Fk′
7Fk′
8Fk′
1· · · Fk′
7Fk′
8Fk′
1· · ·
Fk′7
Fk′8
Fk′8
Fk′7· · · Fk′
1→ C ′,
the process denoted by (k1,k2, . . . ,k8) is
P ′ → Fk2 · · · Fk8 Fk1 Fk2 · · · Fk8 Fk1 Fk2 · · ·Fk8 Fk1 Fk1 Fk8 · · · Fk2 → C ′.
From the description of E and E ′ , we know that theround 2–24 of the encryption E share common round keyswith round 1–23 of the encryption E ′ , which is a slidsequence. The round 25–31 of the first encryption sharecommon round keys with round 26–32 of the second en-cryption, which is another slid sequence. Nevertheless, theconventional slide attacks are not applicable in this casesince we have unslid round 24 and 25 in the encryptionprocess E ′ .
If there exists a plaintext P ′ , of which the inter-mediate value M after 23 rounds encryption satisfiesFk1 (Fk1 (M)) = M , we can compress the 32-round encryp-tion process E ′ into 30-round encryption process. Andif there exists a plaintext P satisfying Fk1 (P ) = P ′ , thenFk1 (C ′) = C . We call such a pair a compressed slid pair.
What is the probability? The probability that we com-press encryption process is the probability that the inter-mediate value M (M denotes the input to round 24 inthe encryption process E ′) satisfies Fk1 (Fk1 (M)) = M . FromObservation 2, for any round subkey k1, there exists solevalue M . So the probability p is 2−64. A compressed slidpair (P = (P L, P R), P ′ = (P ′
L, P ′R)) satisfy P R = P ′
L sinceGOST is a Feistel block cipher. Thus we expect to get onecompressed slid pair when we construct 296 pairs of theform (P = (P L, P R), P ′ = (P ′
L, P ′R)), where P R = P ′
L . Thisrequires 264 known plaintexts.
4.3. Attack on the full GOST
Based on previous discussion, we give a compressslide attack on the full GOST block cipher. A plaintextpair and a corresponding ciphertext pair are denotedby (P = (P L, P R), P ′ = (P ′
L, P ′R)) and (C = (CL, C R), C ′ =
(C ′L, C ′
R)), where P L, P R , P ′L, P ′
R , CL, C R , C ′L, C ′
R are 32-bitwords. A compressed slid pair satisfies Fk1 (P ) = P ′ andFk1 (C ′) = C , namely,
condition 1: P ′L = P R ;
condition 2: P ′R = P L ⊕ f (P R � k1);
condition 3: CL = C ′R ;
condition 4: C R = C ′L ⊕ f (C ′
R � k1).
All 296 plaintext pairs already satisfy condition 1. Fromcondition 3, we have a 32-bit filtering condition on ci-phertext pairs. Thus only 296/232 = 264 pairs would passthrough to the next phase of analysis.
From conditions 2 and 4, we have a 32-bit filtering con-dition on pairs since the same subkey is used. For eachremaining pair, we perform the following steps:
1) Calculate the round subkey k1 from Fk (P ) = P ′;
12) Compute Fk1 (C ′) with subkey k1 obtained in step 1).If the result is equal to C , then store the values k1and C ′ .
From Observation 2, for each k1, we can get solevalue M , and Fk2 (Fk3 (Fk4 (Fk5 (Fk6 (Fk7 (Fk8 (M))))))) = C ′ .After this procedure, 264/232 = 232 triples (k1, M, C ′) sur-vive. In order to calculate subkey k2,k3, . . . ,k8, for eachtriple we perform the following steps:
1) For each possible value of round subkey k8,k7,k6,k5and k4, encrypt M to obtain the intermediate value N;
2) From Fk2 (Fk3 (N)) = C ′ , we obtain the values of subkeyk2 and k3.
From Observation 1, fix N and C ′ , each subkey k2and k3 has unique solution respectively. After this proce-dure, 2160 subkey candidates k2,k3, . . . ,k8 survive for eachtriple. Thus the total number of key candidates is 2192
since there are 232 triples.All the key candidates are evaluated in the key test-
ing stage. We test surviving keys in a brute force man-ner by using plaintext–ciphertext pairs. Given a plaintext–ciphertext pair, we have a 64-bit constraint on the keycandidates. Thus we expect to obtain the right key whenwe use 3 plaintext–ciphertext pairs to test key candidates.
4.4. Complexity of the attack
The complexity of our attack on the full GOST blockcipher can be estimated as follows. According to the for-mer analysis, the data complexity of our attack is 264.The time complexity of validating condition 3 is negligi-ble. Furthermore, it is about 264 4-round GOST encryp-tions in obtaining triples (k1, M, C ′). Since calculating eachsubkey candidate k2,k3, . . . ,k8 is equivalent to a 7-roundGOST encryption, the time complexity of obtaining all thekey candidates is about 232 × 2160 = 2192 7-round GOSTencryptions. The time complexity of key testing stage is2192 + 2128 + 264 ≈ 2192 32-round GOST encryptions. Theoverall time complexity is dominated by the key test-ing stage, thus it is approximately equal to 2192 32-roundGOST encryptions. Consequently, this attack can recover akey with a time complexity of about 2192 encryptions and264 data.
5. Conclusion
In this paper, we have presented the compress slide at-tack. Our attack compresses several unslid rounds with ahigh probability to enhance the slide attack and allows toanalyze ciphers with unslid rounds in the middle of a slidsequence. The new technique allows us to attack the fullGOST block cipher, which has a time complexity of 2192
and 264 data. This paper only considers ciphers with oneor two unslid segments, thus the main open problem leftin this paper is whether it is possible to construct a con-secutive slid sequence for sophisticated ciphers with moreunslid segments.
L. Lu, S. Chen / Information Processing Letters 113 (2013) 634–639 639
Acknowledgements
We would like to thank Vincent Rijmen and anonymousReviewers for their constructive suggestions.
References
[1] NBS, Data Encryption Standard, Federal Information Processing Stan-dard (FIPS), Publication 46, U.S. Dept. of Commerce, Washington D.C.,1977.
[2] National Soviet Bureau of Standards, Information Processing System,Cryptographic Protection, Cryptographic Algorithm GOST 28147-89,1989.
[3] Specification of SMS4, Block Cipher for WLAN products-SMS4,http://www.oscca.gov.cn/UpFile/200621016423197990.pdf (in Chi-nese).
[4] E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosys-tems, Journal of Cryptology 4 (1) (1991) 3–72.
[5] M. Matsui, in: Linear Cryptanalysis Method for DES Cipher, EURO-CRYPT 1993, in: LNCS, vol. 765, Springer-Verlag, 1994, pp. 386–397.
[6] A. Biryukov, D. Wagner, in: Slide Attacks, FSE 1999, in: LNCS,vol. 1636, Springer-Verlag, 1999, pp. 245–259.
[7] A. Biryukov, D. Wagner, in: Advanced Slide Attacks, EUROCRYPT 2000,in: LNCS, vol. 1807, Springer-Verlag, 2000, pp. 589–606.
[8] Y. Ko, S. Hong, W. Lee, S. Lee, J.-S. Kang, in: Related Key DifferentialAttacks on 27 Rounds of XTEA and Full-Round GOST, FSE 2004, in:LNCS, vol. 3017, Springer-Verlag, 2004, pp. 299–316.
[9] R.C.-W. Phan, in: Advanced Slide Attacks Revisited: Realigning Slideon DES, Mycrypt 2005, in: LNCS, vol. 3715, Springer-Verlag, 2005,pp. 263–276.
[10] E. Biham, O. Dunkelman, N. Keller, in: Improved Slide Attacks, FSE2007, in: LNCS, vol. 4593, Springer-Verlag, 2007, pp. 153–166.
[11] E. Fleischmann, M. Gorski, J. Huehne, S. Lucks, in: Key Recovery At-tack on full GOST Block Cipher with Negligible Time and Memory,in: LNCS, vol. 6429, Springer-Verlag, 2009, Presented at Western Eu-ropeanWorkshop on Research in Cryptology (WEWoRC).
[12] V. Rudskoy, On zero practical significance of key recovery attack onfull GOST block cipher with zero time and memory, Cryptology ePrintArchive, Report 2010/111, http://eprint.iacr.org/, 2010.
[13] N.T. Courtois, M. Misztal, Differential cryptanalysis of GOST, Cryptol-ogy ePrint Archive, Report 2011/312, http://eprint.iacr.org/, 2011.
[14] T. Isobe, in: A Single-Key Attack on the Full GOST Block Cipher, FSE2011, in: LNCS, vol. 6733, Springer-Verlag, 2011, pp. 290–305.
[15] I. Dinur, O. Dunkelman, A. Shamir, in: Improved Attacks onFull GOST, FSE 2012, in: LNCS, vol. 7549, Springer-Verlag, 2012,pp. 9–28.
[16] O. Dunkelman, N. Keller, A. Shamir, in: Minimalism in Cryptography:The Even-Mansour Scheme Revisited, EUROCRYPT 2012, in: LNCS,vol. 7237, Springer-Verlag, 2012, pp. 336–354.
