[cryptography] GOST attack

Sandy Harris sandyinchina at gmail.com
Tue Jun 14 23:01:17 EDT 2011

On Tue, Jun 14, 2011 at 7:25 PM, Alexander Klimov <alserkli at inbox.ru> wrote:

> <http://eprint.iacr.org/2011/312.pdf>:

>  Overall this attack requires 2^64 KP [known pairs, I guess] and
>  allows to break full 32-round GOST in time of about 2^228 GOST
>  encryptions for a success probability of 50 %.
> Since GOST has a 64-bit block size, it means that the attacker starts
> with the full map of (plaintext, ciphertext) pairs. In a sane system
> the key is either random or a result of KDF -- what can be the point
> of such an attack?

I do not think there is any point at all. 2^64 known pairs is a
complete codebook, which in itself breaks the cipher. The
attacker can just look up any future ciphertext block in the
book and recover the plaintext. Game over.

Even in theory, an attack that requires 2^keysize or more
encryptions is uninteresting because a brute force attack is
simpler. Similarly, one that requires 2^blocksize or more
blocks of known plaintext is uninteresting because the
codebook attack is simple and effective.

In practice, there are other problems. The attacker needs
storage for 2^64 blocks, and the attack only works if the
cipher is not rekeyed in that volume of data. This is not
even close to a practical attack.

The only way this paper could become interesting is if,
as the authors suggest, it is only a first step toward
better attacks. Wait and see.

More information about the cryptography mailing list