Paper 2016/532

Cryptanalysis of GOST2

Tomer Ashur, Achiya Bar-On, and Orr Dunkelman


GOST 28147 is a 256-bit key 64-bit block cipher developed by the USSR, later adopted by the Russian government as a national standard. In 2010, GOST was suggested to be included in ISO-18033, but was rejected due to weaknesses found in its key schedule. In 2015, a new version of GOST was suggested with the purpose of mitigating such attacks. In this paper, we show that similar weaknesses exist in the new version as well. More specifically, we present a fixed-point attack on the full cipher with time complexity of $2^{237}$ encryptions. We also present reflection which improves on exhaustive search by a factor of $2e$ attack with time complexity of $2^{192}$ for a key that is chosen from a class of $2^{224}$ weak keys. Finally, we discuss an impossible reflection attack and several possible related-key attacks.

Available format(s)
Secret-key cryptography
Publication info
Published by the IACR in FSE 2017
Block cipherscryptanalysisGOSTGOST2reflection attackfixed-point attackrelated-key attackimpossible reflection attack
Contact author(s)
tashur @ esat kuleuven be
2017-02-23: last of 3 revisions
2016-05-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Tomer Ashur and Achiya Bar-On and Orr Dunkelman},
      title = {Cryptanalysis of GOST2},
      howpublished = {Cryptology ePrint Archive, Paper 2016/532},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.