[cryptography] GOST attack

Alexander Klimov alserkli at inbox.ru
Tue Jun 14 07:25:47 EDT 2011


  In this paper we show that GOST is NOT SECURE even against
  differential cryptanalysis (DC), or rather advanced attacks based on
  sets of differentials. [...]

  An Improved Differential Attack on GOST [...]

  Overall this attack requires 2^64 KP [known pairs, I guess] and
  allows to break full 32-round GOST in time of about 2^228 GOST
  encryptions for a success probability of 50 %.

Since GOST has a 64-bit block size, it means that the attacker starts
with the full map of (plaintext, ciphertext) pairs. In a sane system
the key is either random or a result of KDF -- what can be the point
of such an attack?


More information about the cryptography mailing list