[cryptography] GOST attack

Jean-Philippe Aumasson jeanphilippe.aumasson at gmail.com
Tue Jun 14 08:31:03 EDT 2011

AFAIU this attack indeed needs store all 2^64 plaintext/ciphertext
pairs, and needs 2^228 computations. This makes it less interesting
than a generic codebook attack, which only needs the former 2^64

Saying "GOST is NOT SECURE" is thus exaggerated, to say the least...

A far-fetched scenario where this attack may reduce security is one
wherein the same 256b key is used for both GOST and (say) AES-256.
Even in that case, it's not obvious that the said attack would be more
efficient than a clever bruteforce.

On Tue, Jun 14, 2011 at 1:25 PM, Alexander Klimov <alserkli at inbox.ru> wrote:
> <http://eprint.iacr.org/2011/312.pdf>:
>  In this paper we show that GOST is NOT SECURE even against
>  differential cryptanalysis (DC), or rather advanced attacks based on
>  sets of differentials. [...]
>  An Improved Differential Attack on GOST [...]
>  Overall this attack requires 2^64 KP [known pairs, I guess] and
>  allows to break full 32-round GOST in time of about 2^228 GOST
>  encryptions for a success probability of 50 %.
> Since GOST has a 64-bit block size, it means that the attacker starts
> with the full map of (plaintext, ciphertext) pairs. In a sane system
> the key is either random or a result of KDF -- what can be the point
> of such an attack?
> --
> Regards,
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list