Re: [Cfrg] Any update on GOST or more generally?

Stephen Farrell <> Sun, 21 October 2012 23:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 54AE521F8943 for <>; Sun, 21 Oct 2012 16:41:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.555
X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XhJUtFZ4qTRl for <>; Sun, 21 Oct 2012 16:41:39 -0700 (PDT)
Received: from ( [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by (Postfix) with ESMTP id 1524921F88F1 for <>; Sun, 21 Oct 2012 16:41:37 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2FD9017147A; Mon, 22 Oct 2012 00:41:37 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1350862893; bh=1awN9LK62M1Nxn D51ddHD+w6scnvz80TXauDfCVcVr8=; b=H5wX0Ih6bXAD5Dftsr910XxFX1rWLd y8Nj5Hm95f4p7e/nbEoPEsyqTnegJ2Tx8/EsJZkXHb3vzzJ9SnhrOquSbq3JtZCD RXRvPfMCpDRrWkvHUtKb3cHXqYsd0ApT0n4j4lbBtpH1LvziwTKwgjEGpKl11a1V uYP3TziIibPHl/a21nyis0/HbSitG/e8TrwH+INITKt04FSq6QsUhzWUF7DucB9l b4ESB65HF1d/Ha6kC8dUGy70Kj+UghEwOggXvRKR5LHfA9E0aOLbgWpO7PBWwko0 AwuZz2FxMZJKtHkHAHT2Rpxs7ubMmIzZ6pw7FK8zj/hJGXbrlbD65pcg==
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10027) with ESMTP id qRFZunMGkFOb; Mon, 22 Oct 2012 00:41:33 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id DB53F171478; Mon, 22 Oct 2012 00:41:32 +0100 (IST)
Message-ID: <>
Date: Mon, 22 Oct 2012 00:41:32 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121017 Thunderbird/16.0.1
MIME-Version: 1.0
To: Jon Callas <>
References: <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] Any update on GOST or more generally?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Oct 2012 23:41:40 -0000

Hi Jon,

See below...

On 10/22/2012 12:19 AM, Jon Callas wrote:
> On Oct 21, 2012, at 2:08 PM, Stephen Farrell <> wrote:
>> Hiya,
>> Someone asked me about [1] and whether the IETF ought make
>> any changes as a result.
>> My initial reaction was that 2^172 is still more than 3DES
>> but its probably worth asking here.
>> Any CFRG thoughts on this development or more generally if
>> there are changes with other cryptographic functions
>> are welcome.
>> No need for an I-D, some mail is fine and we could take it
>> from there if there's something to do.
>> Thanks,
>> S.
>> [1]
> What sort of changes?

Dunno. Depends on what's the right thing to do.

I guess that could vary from 'do nothing' up to 'write an
I-D saying "<foo> considered harmful" that also deprecates
some code points in various IANA registries.'

[...good stuff snipped, though more is welcome...]

> Courtois also notes that there's been a lot of cryptanalysis on it since 2010.  If you felt that GOST was dodgy, you now have more reasons. If you want it as an alternative to AES, you can quote <> which has a 2^119 complexity attack against AES-256, making it arguably weaker than AES-128. (Interestingly, the same paper gives an attack against AES-192 with 2^176 complexity and the same reasoning would have it stronger than either GOST or other AES key sizes). The arguments for using GOST as an alternative to AES still stand, if that's what floats your boat. And as I noted above, if you are doing business in Russia, this is all irrelevant as you just have to use GOST.

I'd love to know if someone's actually measured how much
these national/vanity ciphersuites are actually used in
IETF protocols.


> All of this is reason for us in the IETF to take note and just keep paying attention. If we're going to use this as a reason to advise for or against GOST, we really need to consider the BDKKS attack on large-key AES. None of these attacks are practical, though, and anything with a real 128 bits of security is likely good for the next couple-three decades. Most of us pick ciphers by a combination of security SWAG and fiat. This might change one's SWAG, but it doesn't change the fiat.
> 	Jon
> _______________________________________________
> Cfrg mailing list