Abstract. GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. Its large key size of 256 bits at a particularly low implementation cost [34] make GOST a plausible alternative for AES-256 and 3-key triple DES. The latter for the same block size of 64 bits offers keys of only 168 bits. All these algorithms are widely used, in particular in the financial industry. GOST is implemented in OpenSSL and other crypto libraries [28, 45], and is increasingly popular also outside its country of origin [27, 34]. In 2010 GOST was submitted to ISO, to become an international standard. In theory 256-bit keys could remain secure for 200 years. GOST was analysed by Schneier, Biham, Biryukov, Dunkelman, Wagner, various Australian, Japanese, and Russian scientists, and all researchers seemed to agree that it looks quite secure. Though the internal structure of GOST seems quite weak compared to DES, and in particular the diffusion is not quite as good...