Home

GOST 28147-89 encryption algorithm

BestCrypt for Windows

BestCrypt for Linux

BestCrypt Volume Encryption

BestCrypt Traveller

BCArchive

Government Standard of the U.S.S.R. 28147-89

Cryptographic protection for Data Protection Systems

Translated from Russian by Aleksandr Malchik
Sun Microsystem Laboratories, Mountain View, California
with editorial and typographic assistance from
Whitfield Diffic
Sun Microsystems
Mountain View, California

Preface to the English Translation

The Government Standard of the U.S.S.R. 28147-89, Cryptographic protection for Data Protection Systems, appears to have played a role in the Soviet Union similar to that played by the U.S. Data Encryption Standard (FIPS 46). When issued, it bore the minimal classification 'For Official Use', but is now said to be widely available in software both in the Former Soviet Union and elsewhere. In apparent contrast to DES's explicit limitation to unclassified information, the introduction to GOST 28147-89 contains the intriguing remark that the cryptographic transformation algorithm "does not place any limitations on the secrecy level of the protected information."

The algorithms are similar in that both operate on 64-bit blocks by successively modifying half of the bits with a function of the other half. Beyond that, the similarity declines and several differences are visible.

  • The Soviet System has 32 rounds than the 16 of DES.
  • Each round is somewhat simpler than a round of DES. In the 'f' function, 32 bits of text are added modulo 32 to 32 bits of key, transformed by a block of eight, 4-bit to 4-bit S-boxes and rotated 11 bits to the left.
  • In contrast to DES's meagre 56 bits of key, GOST 28147-89 has 256 bits of primary key and 512 bits of secondary key. The secondary key is the block of eight S-boxes, which are specific to individual networks and are not included in the standard (*).
  • In place of complex key schedule of DES, the primary key is divided into eight 32-bit words. For the first twenty-four rounds, these are used cyclically in ascended order. For the last eight, they are used in descending order.

The standard is also somewhat broader that FIPS46. It includes output feedback and cipher feedback modes of operation, both limited to 64-bit blocks, and a mode for producing message authentication codes.

The translation is internally colloquial, preferring standard English terms to charmingly quaint cognates of the Russian. The objective is to make it easy for English speaking cryptographers to identify what is novel with minimal effort. In some places, particularly the glossary, with has changed the wording considerably and a few remarks on some of the freer choices, seems in order.

(*) Please take into account that Sun Microsystems's terminology - "primary key" and "secondary key" may be misunderstood: it will be not correct to calculate GOST total key length as the sum of primary and secondary key lengths, i.e. 512+256=768 bits. The terms "key" and "permutation table" are more widely known, and more complex calculations have to be made for the total key length of the GOST algorithm. (Jetico comment)

You may also find GOST28147-89 description and crypto analysis of the algorithm in Bruce Schneier's "Applied Cryptography" book. As for the GOST total key length, Schneier writes the following:

"GOST has a 256-bit key. If you add in the secret S-box permutations, GOST has a total of about 610 bits of secret information."

Click here to download a complete "Government Standard of the U.S.S.R. 28147-89 (Sun Microsystems translation)" document in PostScript format.

counter