[cryptography] GOST attack

Nico Williams nico at cryptonector.com
Tue Jun 14 13:13:30 EDT 2011

On Tue, Jun 14, 2011 at 7:31 AM, Jean-Philippe Aumasson
<jeanphilippe.aumasson at gmail.com> wrote:
> AFAIU this attack indeed needs store all 2^64 plaintext/ciphertext
> pairs, and needs 2^228 computations. This makes it less interesting
> than a generic codebook attack, which only needs the former 2^64
> storage.
> Saying "GOST is NOT SECURE" is thus exaggerated, to say the least...
> A far-fetched scenario where this attack may reduce security is one
> wherein the same 256b key is used for both GOST and (say) AES-256.
> Even in that case, it's not obvious that the said attack would be more
> efficient than a clever bruteforce.

It is not reasonable to consider an attack with a 2^228 work factor as
breaking a cipher, nor is it reasonable to say that because this 2^28
times faster than a brute force attack that this is a break (also, the
2^64 storage requirement means that this attack is only ~2^23 times
faster than brute force, because the random access to that storage
won't be free).  Perhaps that's a typo and the author meant 2^28?
*That* would be a break, even with a 2^64 storage requirement.  But
skimming the paper it does not seem to be a typo.

For me the problem with GOST is its block size.  I would much prefer a
128-bit block size for reasons having to do with re-key


More information about the cryptography mailing list