I would strongly advise against adopting the

BM-2cVWNiAaR5ZfhQGckifWgCE5ExouXqeDT1
Jul 10 13:17 [raw]

From: colin@nyx10.cs.du.edu (Colin Plumb) Subject: Cryptanalysis of the GOST 28147-89 cipher The publication of this standard by Aleksandr Malchik and Whitfield Diffie of Sun, and Josef Pieprzyk and Leonid Tombak of the University of Wollongong seems to have attracted little attention. A few people have suggested that with a 256-bit key and 32 rounds, it is a good candidate replacement for the DES. I am not a skilled cryptanalyst, but my examination suggests that this is not a good idea. I'd like to share it and attract comments. Description of the cipher: The GOST cipher is very similar to the DES, except that - There are no initial and final permutations - There are 32 rounds - There is no 32->48 bit expansion - The subkey for each round is added, mod 2^32, to the data instead of XORed - The S-boxes are 4->4 bits - The S boxes are not defined by the standard - The permutation is a rotation 11 bits to the left (i.e. in the direction of the carries in the above addition) instead of DES's more complex permutation - The key schedule is taken from 8 32-bit words, which are used in the order 0-7,0-7,0-7,7-0 during encryption and 0-7,7-0,7-0,7-0 during decryption The 512 bits of S-box is considered a parameter of the cryptosystem that is developed using the standard, so I assume that given their use for a long period of time at many sites, they are not secret. Eli Biham and Adi Shamir's consideration of DES variants in their book Differential Analysis of the Data Encryption Standard is very useful here. Section 4.5.1 considers eliminating the permutation, which significantly weakens the cipher by dramatically reducing the avalanche effect. Section 4.5.3.1 considers replacing XOR by addition, which weakens the DES, but to me it seems reasonable to attribute that to throwing off the scrupulous optimisation of the S-boxes, and re-evaluating the S boxes should produce a cipher as strong. And section 4.5.6 considers eliminating the expansion, which also has a dramatic effect on the strength of the DES. The care with which the S-boxes were chosen is made particularly in sections 4.5.2, 4.5.4 and 4.5.5, but is also apparent throughout the book. Just this fact, that the GOST standard does not supply strong S-boxes, means that considerable work must be done to produce some. The combination of these simplifications makes me doubt that even doubling the number of rounds is sufficient to make this cipher match the strength of the DES. However, it is the simplification of the permutation, leading to a change in one input bit one round affecting one S-box which then affects two in the next round, three the round after that, and so on, taking eight rounds to full avalanche, that worries me most. I am not sure there is sufficient avalanching to provide strong security. Certainly much higher-probability differentials should be possible than with the DES. One possibility is that by choosing keys with a large number of 1 bits, carry propagation can produce avalanching between non-adjacent S-boxes. This reduces the effective key space from 256 bits, but this key space is considerably larger than necessary for security in any case, and almost certainly exceeds the strength of the cipher against analytic attack. Thus, it does not weaken the cipher against brute-force attack, while possibly increasing its strength against analytic attack. If this were not publicised, it raises the possibility that good keys are sparse, and someone not familair with the need would almost inevitably choose a weak one. Shades of the COMSEC endorsement program! Perhaps secret organizations have a great deal in common around the world. Admittedly that is wild speculation on my part, but it does seem quite attractive. That, and the lack of supplied good S-boxes, would mean that the standard would be almost useless in the hands of someone not already cryptographically savvy. But for these problems, I would strongly advise against adopting the cipher until these concerns have been analyzed more thoroughly. Any comments? Addendum: Instead of output feedback mode, the feedback-free stream mode advised by the GOST standaed is a variant of the counter mode that has been suggested for DES. The way it is done may be worthy of attention. The IV is first encrypted with the key. Then, for each block of random output, the two magic constants 0x01010101 and 0x01010104 are added, modulo 2^32-1 (in such a way that 0xffffffff is the preferred form of 0) to the two halves of the IV, which is then encrypted to produce the output. -- -Colin

[chan] general
BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r

Subject Last Count
Recipe for Scrambled Eggs Nov 21 04:17 3
mania Nov 21 04:01 6
Be warned! GOD is watching YOU (even on BM) Nov 21 01:35 1
UK Column News - 21st November 2018 Nov 21 00:59 4
UK Column News - 20th November 2018 Nov 21 00:56 2
Nov 21 00:53 4
All the Snowden documents released so far Nov 21 00:51 23
ADVANCED FAGNOSTIC MANIA Nov 21 00:47 1
UK Column News - 19th November 2018 Nov 21 00:43 2
ADVANCED FAGNOSTIC MANIA Nov 21 00:37 1
FAGNOSTIC MANIA Nov 20 19:21 1
Link on Russian Interpol President Nov 20 19:08 2
Protonmail is bullshit Nov 20 19:08 1
Russian Interpol President Nov 20 19:08 1
UK Column News - 22nd November 2018 Nov 20 17:38 1
Nov 20 17:06 1
Hello world ! Nov 20 08:58 3
FAGNOSTIC SYNDROME Nov 20 00:10 2
ffmpeg question Nov 20 00:08 9
Dezentrale Plattformen zur Förderung des Links- und Rechtsterrorismus Nov 19 23:49 1
BROGRAMMERS Nov 19 12:18 1
CONDUCTOR WE HAVE A PROBLEM Nov 19 04:03 2
GB2RS News - Sunday 18th November 2018 Nov 19 03:59 7
Cooking on a budget Nov 18 17:15 4
Progress on the UK’s exit from, and future relationship with, the European Union Nov 18 05:02 2
UK Column News - 15th November 2018 Nov 18 04:58 3
UK Column Dumbass News - 16th November 2018 Nov 18 04:41 4
UK Column Pedo News - 16th November 2018 Nov 18 04:41 1
UK Column Dumbass News - 15th November 2018 Nov 18 04:41 1
UK Column News - 16th November 2018 Nov 18 03:58 2
(no subject) Nov 17 18:13 2
front end devs Nov 16 22:17 5
UK Column News - 14th November 2018 Nov 16 19:02 4
What to Do About Fluids When You Have Diarrhea Nov 16 19:02 5
[DELETED] Nov 16 14:22 2
Ebola on the rampage in USA again Nov 16 09:06 17
What to Do If You’ve Been Guilty of Pornography Nov 16 08:26 7
Project 14137 Nov 15 08:58 1
C7CC Newsletter 13.11.2018 Nov 14 08:38 4
Ebola on the rampage in Uganda again Nov 13 06:44 3
UK Column News - 12th November 2018 Nov 12 18:33 1
63B0408291694E467DB5BA7B4EC0AB6B Nov 12 13:03 1
CFDA88E3D7EE724DE9DC51554E4F9F38 Nov 12 12:47 1
Compiling Anoncoin on Linux Nov 11 17:17 4
health news Nov 11 12:07 2
Russian GRU Busted Again Nov 10 09:13 4
UK Column News - 9th November 2018 Nov 10 06:50 3
::: GONQ ::: oodles and obbs of odds and ends ::: Nov 10 03:42 3
97394FA9DD7245B7E96F28244FF2CA08 Nov 9 14:39 1
A girl’s first slippering at secondary school Nov 9 13:50 1
t Nov 9 11:59 1
p2p sharing Nov 9 11:41 1
So, who won? Nov 9 08:53 1
Stay in touch Nov 9 05:55 5
UK Column News - 7th November 2018 Nov 9 03:35 4
UK Column News - 8th November 2018 Nov 9 03:35 2
UK Column News - 10th November 2018 Nov 9 03:35 2
Goodbye Gab... Nov 8 19:33 50
Guillotines at Headquarters Nov 8 16:01 1
[DELETED] Nov 7 10:37 1
testing 123 Nov 6 00:38 3
vote for flat earth Nov 5 19:47 8
Your Third “Look Inside” Quickie Nov 5 13:16 1
Your Second “Look Inside” Quickie Nov 5 12:52 1
Your “Look Inside” Quickie Nov 5 12:49 1
Honeypots: Protonmail, DuckDuckGo, NordVPN Nov 5 03:16 2
Is NordVPN a Honeypot? Nov 4 20:09 1
How Fast Is Earth Moving? Nov 4 19:13 7
Quantumfoolery Nov 4 19:05 1
I think people need to know that there are forces at work that control the minds Nov 4 17:52 5
Your Fake Universe Nov 4 17:50 15
You spin me right round, right round baby Nov 4 02:20 67
TestTestTestTestTestTestTestTestTestTestTestTestTestTestTestTestTestTestTest Nov 3 19:26 2
I want to Nov 3 13:13 6
you need to know Nov 3 11:55 1
in the woods Nov 3 10:56 1
sunhat Nov 3 10:41 1
Kissing Daddy Goodnight Nov 3 10:00 1
dripping wet Nov 3 09:52 1
UK Column News - 3rd November 2018 Nov 3 09:26 1
UK Column News - 6th November 2018 Nov 3 09:07 1
UK Column News - 5th November 2018 Nov 3 09:04 1
UK Column News - 4th November 2018 Nov 3 09:04 1
UK Column News - 2nd November 2018 Nov 3 09:00 2
Twin Towers Power Generation Nov 3 04:19 3
zero bundle -- 0net Nov 2 23:53 7
Sunlight Under Clouds Explained By Perspective on Flat Earth Nov 2 23:52 2
chosen people Nov 2 23:40 2
Flat Earth International Conference 2018 Billboard Meet-Up Nov 2 23:10 3
CLIP Green Screen Technology with Iru Landucci – O Reality Nov 2 22:01 1
Flat Earth Documentary: Refraction Experiments and FAQ by Research Royal Rife Nov 2 22:01 1
CLIP The Religion of Satellites and Space Travel Nov 2 22:01 1
Seeing the Imaginary Curve by Phuket Word Nov 2 21:58 1
CLIP Sweet Dreams Are Made From NASA from “The Theft, Scams…” Nov 2 21:58 1
bawlz Nov 2 20:55 1
RedHat = IBM Nov 2 20:14 2
RSGB - GB2RS News for 4th November 2018 Nov 2 19:14 1
UK Column News - 31st October 2018 Nov 1 08:00 1
The Apollo-11 UFO Incidents Oct 31 20:00 1
fuck GAB ! join BitMessage - which never can be censored Oct 31 01:23 2