IETF Logo Mail Archive

Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sat, 12 December 2015 23:57 UTC

Return-Path: <prvs=978765da11=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 059FB1AC7E7 for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 15:57:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5Jv9Ij-aZ_2 for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 15:57:49 -0800 (PST)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 2AAB61A8A6E for <Cfrg@irtf.org>; Sat, 12 Dec 2015 15:57:48 -0800 (PST)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id tBBLRPHA007372; Fri, 11 Dec 2015 16:27:25 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Tom Ritter <tom@ritter.vg>
Thread-Topic: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?
Thread-Index: AQHRMyzSHYaGHpooC0CppdpWGxUMXp7EUAIAgAAnK4D//9mOgIACBtsA///3fAA=
Date: Fri, 11 Dec 2015 21:27:24 +0000
Message-ID: <D290A65E.23EC8%uri@ll.mit.edu>
References: <5668D26F.2020200@cs.tcd.ie> <5668D7A3.1070103@cs.tcd.ie> <A03EFDDF-DDA7-49E0-B0F4-64B50D0BB8EF@gmail.com> <56694CB0.4020503@cs.tcd.ie> <CAA4PzX2WFOJKe0qMST01n9WPV7HJHMkAjgBviaQZ9LTPne-_eg@mail.gmail.com> <D28EFC16.23CBC%uri@ll.mit.edu> <CA+cU71m7TLiBBipKYk2CQfeivHHVe0WH7jsFuN6CUE5vKC8yfg@mail.gmail.com>
In-Reply-To: <CA+cU71m7TLiBBipKYk2CQfeivHHVe0WH7jsFuN6CUE5vKC8yfg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.8.151023
x-originating-ip: [172.25.177.51]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3532696038_22146478"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-12-11_12:2015-12-11,2015-12-11,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1511060000 definitions=main-1512110384
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/V6L3AudCvmBu_cKncjrFlwzOGnQ>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>, Nevil Brownlee <rfc-ise@rfc-editor.org>
Subject: Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2015 23:57:51 -0000

On 12/11/15, 11:57 , "Tom Ritter" <tom@ritter.vg> wrote:

>On 10 December 2015 at 09:00, Blumenthal, Uri - 0553 - MITLL
><uri@ll.mit.edu> wrote:
>> GOST has been reviewed and analyzed by the cryptographic community
>> (academia included) for ages (well, decades, really). I’ve seen several
>> publications. As I recall, the only significant weakness found was
>>related
>> to related-keys <pun intended :>. Of course it uses 64-bit blocks in the
>> world where (most) everybody embraced 128-bit, and some toy with 256-bit
>> block ciphers.
>
>I thought there were several slide attacks on GOST (I assume the old
>'Magma' version, but I am unsure) that significantly weaken it from
>it's purported keylength (but are still not computable breaks.)  I
>believe they kicked off with Isobe's paper in 2011[0] and then were
>improved by a number of people e.g. [1].
>
>[0] https://www.iacr.org/archive/fse2011/67330297/67330297.pdf
>[1] https://eprint.iacr.org/2011/558.pdf

Funny, I missed the Dinur--Shamir’s paper! Oh well. Yes, it’s against the
old GOST, now named “Magma” (as opposed to the new one named “Grasshopper”
or “Kuznechik").

The summary is: Isobe’s attack is 2^224 time complexity, 2^32 known
plaintext pairs (half the dictionary), 2^64 memory.
Shamir’s attack: either 2^192 time complexity, 2^64 data (full
dictionary), and 2^36 memory - or 2^236 time complexity, 2^32 data, and
2^19 memory.

The best attack shaves 64 bits (a lot!) off the 256-bit key, at the cost
of pretty much having the complete dictionary, and still impractical
computations. The authors pointed out that GOST’s simplistic key schedule
contributes to the effectiveness of these attacks.

Very neat result. Of course those, whose data is protected by “Magma”
don’t need to lose sleep just yet, as the authors stated. :-)

v2.23.0 | Report a Bug | By Email