[cryptography] GOST attack
jeanphilippe.aumasson at gmail.com
Tue Jun 14 08:31:03 EDT 2011
AFAIU this attack indeed needs store all 2^64 plaintext/ciphertext
pairs, and needs 2^228 computations. This makes it less interesting
than a generic codebook attack, which only needs the former 2^64
Saying "GOST is NOT SECURE" is thus exaggerated, to say the least...
A far-fetched scenario where this attack may reduce security is one
wherein the same 256b key is used for both GOST and (say) AES-256.
Even in that case, it's not obvious that the said attack would be more
efficient than a clever bruteforce.
On Tue, Jun 14, 2011 at 1:25 PM, Alexander Klimov <alserkli at inbox.ru> wrote:
> In this paper we show that GOST is NOT SECURE even against
> differential cryptanalysis (DC), or rather advanced attacks based on
> sets of differentials. [...]
> An Improved Differential Attack on GOST [...]
> Overall this attack requires 2^64 KP [known pairs, I guess] and
> allows to break full 32-round GOST in time of about 2^228 GOST
> encryptions for a success probability of 50 %.
> Since GOST has a 64-bit block size, it means that the attacker starts
> with the full map of (plaintext, ciphertext) pairs. In a sane system
> the key is either random or a result of KDF -- what can be the point
> of such an attack?
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography