On Tue, Jun 14, 2011 at 7:13 PM, Nico Williams <[email protected]> wrote: > On Tue, Jun 14, 2011 at 7:31 AM, Jean-Philippe Aumasson > <[email protected]> wrote: > > (...) > > It is not reasonable to consider an attack with a 2^228 work factor as > breaking a cipher, nor is it reasonable to say that because this 2^28 > times faster than a brute force attack that this is a break (also, the > 2^64 storage requirement means that this attack is only ~2^23 times > faster than brute force, because the random access to that storage > won't be free). Perhaps that's a typo and the author meant 2^28? > *That* would be a break, even with a 2^64 storage requirement. But > skimming the paper it does not seem to be a typo.
Your argument perfectly makes sense. However, academic attack models generally consider a cipher as broken as soon as an attack is found that contradicts the claim of X-bit security, even when the reduction of complexity is practically insignificant. When the attack requires a non-negligible amount of memory, yet does fewer than 2^X "computations", it can be difficult to evaluate whether it really outperforms (in theory) bruteforce methods. > > For me the problem with GOST is its block size. I would much prefer a > 128-bit block size for reasons having to do with re-key > considerations. > _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
