Aggregated differentials and cryptanalysis of PP-1 and GOST (Q2392055)

Two ciphers: GOST (Russian government encryption standard) and PP-1 (designed at the Poznań University of Technology in Poland) have been claimed to be secure against differential cryptanalysis. The results of this paper refute this thesis. The possibility of breaking the GOST cipher was first noted by \textit{H.~Saki and T.~Kaneko} [Lect. Notes Comput. Sci. 2012, 315--323 (2001; Zbl 0981.94503)]. They have shown that the straightforward classical differential attack with one single differential characteristic is inefficient, but joining several differential one can obtain a tool for breaking this cipher. To this purpose, they have proposed the aggregated differential \((0x70707070,0x07070707)\). The authors show that the characteristic \((0x80700700,0x80700700)\) improves the result of Saki and Kaneko (op. cit.). They also show that this technique allows to break all known versions of PP-1 ciphers (cf. \textit{M.~Misztal} [Ann. UMCS, Informatica 11, No. 2, 9--24 (2012), \url{doi:10.2478/v10065-011-0006-7}]). A general theory of differential analysis can be found in [\textit{L. R.~Knudsen and M. J. B.~Robshaw}, The block cipher companion. Berlin: Springer (2011; Zbl 1243.68010)] .