GOST (hash function)

Abstract: The former Soviet encryption algorithm GOST 28147-89 has been standardized by the Russian standardization agency in 1989 and extensive security analysis has been done since. So far no weaknesses have been found and GOST is currently under discussion for ISO standardization. Contrary to the cryptographic properties, there has not been much interest in the implementation properties of GOST, though its Feistel structure and the operations of its round function are well-suited for hardware implementations. Our post-synthesis figures for an ASIC implementation of GOST with a key-length of 256 bits require only 800 GE, which makes this implementation well suitable for low-cost passive RFID-tags. As a further optimization, using one carefully selected S-box instead of 8 different ones -which is still fully compliant with the standard specifications!- the area requirement can be reduced to 651 GE.

Abstract: GOST is a geometric-optical (GO) model for sloping terrains developed in this study based on the four-scale GO model, which simulates the bidirectional reflectance distribution function (BRDF) of forest canopies on flat surfaces. The four-scale GO model considers four scales of canopy architecture: tree groups, tree crowns, branches, and shoots. In order to make this model suitable for sloping terrains, the mathematical description for the projection of tree crowns on the ground has been modified to consider the fact that trees grow vertically rather than perpendicularly to sloping grounds. The simulated canopy gap fraction and the area ratios of the four scene components (sunlit foliage, sunlit background, shaded foliage, and shaded background) by GOST compare well with those simulated by 3-D virtual canopy computer modeling techniques for a hypothetical forest. GOST simulations show that the differences in area ratios of the four scene components between flat and sloping terrains can reach up to 50%-60% in the principal plane and about 30% in the perpendicular plane. Two case studies are conducted to compare modeled canopy reflectance with observations. One comparison is made against Landsat-5 Thematic Mapper (TM) reflectance, demonstrating the ability of GOST to model canopy reflectance variations with slope and aspect of the terrain. Another comparison is made against MODIS surface reflectance, showing that GOST with topographic consideration outperforms that without topographic consideration. These comparisons confirm the ability of GOST to model canopy reflectance on sloping terrains over a large range of view angles.

Abstract: GOST is a well known block cipher which was developed in the Soviet Union during the 1970's as an alternative to the US-developed DES. In spite of considerable cryptanalytic effort, until very recently there were no published single key attacks against its full 32-round version which were faster than the 2256 time complexity of exhaustive search. In February 2011, Isobe used the previously discovered reflection property in order to develop the first such attack, which requires 232 data, 264 memory and 2224 time. In this paper we introduce a new fixed point property and a better way to attack 8-round GOST in order to find improved attacks on full GOST: Given 232 data we can reduce the memory complexity from an impractical 264 to a practical 236 without changing the 2224 time complexity, and given 264 data we can simultaneously reduce the time complexity to 2192 and the memory complexity to 236.

Abstract: In this article, we analyze the security of the GOST hash function. The GOST hash function, defined in the Russian standard GOST 34.11-94, is an iterated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterative structure, a checksum computed over all input message blocks. This checksum is then part of the final hash value computation. As a result of our security analysis of the GOST hash function, we present the first collision attack with a complexity of about 2105evaluations of the compression function. Furthermore, we are able to significantly improve upon the results of Mendel et al. with respect to preimage and second preimage attacks. Our improved attacks have a complexity of about 2192evaluations of the compression function.