On Tue, Jun 14, 2011 at 7:31 AM, Jean-Philippe Aumasson <[email protected]> wrote: > AFAIU this attack indeed needs store all 2^64 plaintext/ciphertext > pairs, and needs 2^228 computations. This makes it less interesting > than a generic codebook attack, which only needs the former 2^64 > storage. > > Saying "GOST is NOT SECURE" is thus exaggerated, to say the least... > > A far-fetched scenario where this attack may reduce security is one > wherein the same 256b key is used for both GOST and (say) AES-256. > Even in that case, it's not obvious that the said attack would be more > efficient than a clever bruteforce.
It is not reasonable to consider an attack with a 2^228 work factor as breaking a cipher, nor is it reasonable to say that because this 2^28 times faster than a brute force attack that this is a break (also, the 2^64 storage requirement means that this attack is only ~2^23 times faster than brute force, because the random access to that storage won't be free). Perhaps that's a typo and the author meant 2^28? *That* would be a break, even with a 2^64 storage requirement. But skimming the paper it does not seem to be a typo. For me the problem with GOST is its block size. I would much prefer a 128-bit block size for reasons having to do with re-key considerations. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
