Cryptanalysis of GOST2


  • Tomer Ashur imec - Computer Security and Industrial Cryptography (COSIC) research group, Department of Electrical Engineering (ESAT), KU Leuven, Leuven, Belgium
  • Achiya Bar-On Department of Mathematics, Bar-Ilan University, Ramat Gan, Israel
  • Orr Dunkelman Computer Science Department, University of Haifa, Haifa, Israel



Block ciphers, Cryptanalysis, GOST, GOST2, Reflection attack, Fixed-point attack, Related-key attack, Impossible reflection attack


GOST 28147 is a 256-bit key 64-bit block cipher developed by the USSR, later adopted by the Russian government as a national standard. In 2010, GOST was suggested to be included in ISO/IEC 18033-3, but was rejected due to weaknesses found in its key schedule. In 2015, a new version of GOST was suggested with the purpose of mitigating such attacks. In this paper, we show that similar weaknesses exist in the new version as well. More specifically, we present a fixed-point attack on the full cipher with time complexity of 2237 encryptions. We also present a reflection attack with time complexity of 2192 for a key that is chosen from a class of 2224 weak keys. Finally, we discuss an impossible reflection attack which improves on exhaustive search by a factor of 2e, and several possible related-key attacks.




How to Cite

Ashur, T., Bar-On, A., & Dunkelman, O. (2017). Cryptanalysis of GOST2. IACR Transactions on Symmetric Cryptology, 2017(1), 203–214.