AFAIU this attack indeed needs store all 2^64 plaintext/ciphertext pairs, and needs 2^228 computations. This makes it less interesting than a generic codebook attack, which only needs the former 2^64 storage.
Saying "GOST is NOT SECURE" is thus exaggerated, to say the least... A far-fetched scenario where this attack may reduce security is one wherein the same 256b key is used for both GOST and (say) AES-256. Even in that case, it's not obvious that the said attack would be more efficient than a clever bruteforce. On Tue, Jun 14, 2011 at 1:25 PM, Alexander Klimov <alser...@inbox.ru> wrote: > <http://eprint.iacr.org/2011/312.pdf>: > > In this paper we show that GOST is NOT SECURE even against > differential cryptanalysis (DC), or rather advanced attacks based on > sets of differentials. [...] > > An Improved Differential Attack on GOST [...] > > Overall this attack requires 2^64 KP [known pairs, I guess] and > allows to break full 32-round GOST in time of about 2^228 GOST > encryptions for a success probability of 50 %. > > Since GOST has a 64-bit block size, it means that the attacker starts > with the full map of (plaintext, ciphertext) pairs. In a sane system > the key is either random or a result of KDF -- what can be the point > of such an attack? > > -- > Regards, > ASK > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography