I would strongly advise against adopting the

BM-2cVWNiAaR5ZfhQGckifWgCE5ExouXqeDT1
Jul 10 13:17 [raw]

From: colin@nyx10.cs.du.edu (Colin Plumb) Subject: Cryptanalysis of the GOST 28147-89 cipher The publication of this standard by Aleksandr Malchik and Whitfield Diffie of Sun, and Josef Pieprzyk and Leonid Tombak of the University of Wollongong seems to have attracted little attention. A few people have suggested that with a 256-bit key and 32 rounds, it is a good candidate replacement for the DES. I am not a skilled cryptanalyst, but my examination suggests that this is not a good idea. I'd like to share it and attract comments. Description of the cipher: The GOST cipher is very similar to the DES, except that - There are no initial and final permutations - There are 32 rounds - There is no 32->48 bit expansion - The subkey for each round is added, mod 2^32, to the data instead of XORed - The S-boxes are 4->4 bits - The S boxes are not defined by the standard - The permutation is a rotation 11 bits to the left (i.e. in the direction of the carries in the above addition) instead of DES's more complex permutation - The key schedule is taken from 8 32-bit words, which are used in the order 0-7,0-7,0-7,7-0 during encryption and 0-7,7-0,7-0,7-0 during decryption The 512 bits of S-box is considered a parameter of the cryptosystem that is developed using the standard, so I assume that given their use for a long period of time at many sites, they are not secret. Eli Biham and Adi Shamir's consideration of DES variants in their book Differential Analysis of the Data Encryption Standard is very useful here. Section 4.5.1 considers eliminating the permutation, which significantly weakens the cipher by dramatically reducing the avalanche effect. Section 4.5.3.1 considers replacing XOR by addition, which weakens the DES, but to me it seems reasonable to attribute that to throwing off the scrupulous optimisation of the S-boxes, and re-evaluating the S boxes should produce a cipher as strong. And section 4.5.6 considers eliminating the expansion, which also has a dramatic effect on the strength of the DES. The care with which the S-boxes were chosen is made particularly in sections 4.5.2, 4.5.4 and 4.5.5, but is also apparent throughout the book. Just this fact, that the GOST standard does not supply strong S-boxes, means that considerable work must be done to produce some. The combination of these simplifications makes me doubt that even doubling the number of rounds is sufficient to make this cipher match the strength of the DES. However, it is the simplification of the permutation, leading to a change in one input bit one round affecting one S-box which then affects two in the next round, three the round after that, and so on, taking eight rounds to full avalanche, that worries me most. I am not sure there is sufficient avalanching to provide strong security. Certainly much higher-probability differentials should be possible than with the DES. One possibility is that by choosing keys with a large number of 1 bits, carry propagation can produce avalanching between non-adjacent S-boxes. This reduces the effective key space from 256 bits, but this key space is considerably larger than necessary for security in any case, and almost certainly exceeds the strength of the cipher against analytic attack. Thus, it does not weaken the cipher against brute-force attack, while possibly increasing its strength against analytic attack. If this were not publicised, it raises the possibility that good keys are sparse, and someone not familair with the need would almost inevitably choose a weak one. Shades of the COMSEC endorsement program! Perhaps secret organizations have a great deal in common around the world. Admittedly that is wild speculation on my part, but it does seem quite attractive. That, and the lack of supplied good S-boxes, would mean that the standard would be almost useless in the hands of someone not already cryptographically savvy. But for these problems, I would strongly advise against adopting the cipher until these concerns have been analyzed more thoroughly. Any comments? Addendum: Instead of output feedback mode, the feedback-free stream mode advised by the GOST standaed is a variant of the counter mode that has been suggested for DES. The way it is done may be worthy of attention. The IV is first encrypted with the key. Then, for each block of random output, the two magic constants 0x01010101 and 0x01010104 are added, modulo 2^32-1 (in such a way that 0xffffffff is the preferred form of 0) to the two halves of the IV, which is then encrypted to produce the output. -- -Colin

[chan] general
BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r

Subject Last Count
None of this is connectd Feb 17 23:58 1
Unextreme and unrelated fish pie Feb 17 23:52 1
UK Column News - 22nd February 2019 Feb 17 17:30 1
UK Column News - February 22 2019 Feb 17 17:29 1
UK Column News - 21st February 2019 Feb 17 17:22 1
UK Column News - February 21 2019 Feb 17 17:21 1
UK Column News - 20th February 2019 Feb 17 17:18 1
UK Column News - 20 February 2019 Feb 17 17:18 1
UK Column News - February 19th 2019 Feb 17 17:14 1
UK Column News - February 20 2019 Feb 17 17:13 1
UK Column News - 18 February 2019 Feb 17 17:13 1
UK Column News 19th - February 2019 Feb 17 17:09 1
UK Column News 19th February 2019 Feb 17 17:08 1
UK Column News - 18th February 2019 Feb 17 17:06 1
surveillance_not_ok Feb 17 16:28 1
The earth is flat. Feb 17 10:05 13
UKColumn News - 15th February 2019 Feb 16 17:09 1
2019 - the crash is coming Feb 16 11:37 13
KASPERSKY INTERNET SECURITY 2019 - 366 DAYS (WINDOWS, MAC, ANDROID) ACTIVATION CODES SCAM. Feb 15 22:26 3
UK Column News - 13th February 2019 Feb 13 20:35 1
Matthew 27:24-25 Feb 13 15:31 2
UK Column News 11th February 2019 Feb 12 08:36 1
meanwhile in russia #2 Feb 11 23:54 1
meanwhile in russia #1 Feb 11 23:38 1
http://dfilesus7ldn2ab6vitajolxrrf6ynx2fuskpx6bxamttpixvxzz7uqd.onion/uploads/tqMRZJXSOfE.jpg Feb 11 17:51 1
It’s time for Europe to think systemically of how they could counter Moscow Feb 11 16:31 2
Mateusz Piskorski, Russian agent of influence Feb 11 16:21 2
It’s an organized, coordinated Russian campaign Feb 11 16:20 2
Polish far-righ is known to be penetrated by Kremlin agents Feb 11 16:06 2
Poland’s loud but politically marginal extreme right is openly Russophile Feb 11 16:00 2
You won’t see much coverage of these weapons on Russian television Feb 11 16:00 2
Amazon CEO Jeff Bezos rocked American politics Feb 11 15:53 2
Mathias Rust Feb 10 19:31 6
TrueCrypt 6.0 and 7.1a Feb 10 17:11 3
New Win32 binary snapshot of pybitmessage available Feb 10 10:31 10
New Biometric ID Feb 10 07:04 2
test Feb 10 06:05 1
--- super fat mega leak bit torrent is live -- join in ! 773 million Feb 10 06:05 1
dammit ! dang nigger pranked Dr. David Duke Feb 10 00:59 5
HAPPY NEW YEAR! Feb 9 21:22 6
UK Column News - February 12 2019 Feb 9 21:19 1
UK Column News - February 12th 2019 Feb 9 21:19 1
UK Column News - 12th February 2019 Feb 9 21:16 1
UK Column News - 11th February 2019 Feb 9 21:14 1
UK Column News - 9th February 2019 Feb 9 21:13 1
KASPERSKY INTERNET SECURITY 2019 - 366 DAYS (WINDOWS, MAC, ANDROID) ACTIVATION CODES SALE. Feb 9 10:26 4
UK Column News - 8th February 2019 Feb 9 07:26 1
happy new year test message Feb 8 18:31 1
0AA6C0B304A674D4D21EAD1279951858 Feb 8 11:40 1
Дмитрий Фёдорович Поляков Feb 7 18:16 1
This week, the disinformation world’s attention was focused on Venezuela Feb 7 18:09 2
UK Column News Feb 7 09:10 2
UK Column News - February 2019 7th Feb 7 07:45 2
UK Column News - 7 2019 February Feb 7 07:40 1
UK Column News - 2019 February 7th Feb 7 07:40 2
UK Column News - February 7th 2019 Feb 7 07:37 2
UK Column News - 2019 February 7 Feb 7 07:35 2
UK Column News - February 7 2019 Feb 7 07:29 1
UK Column News - 7th February 2019 Feb 7 07:25 3
UK Column News - 7 February 2019 Feb 7 07:25 1
Any-one in Rome?? Feb 6 22:42 3
UK Column News - 6 February 2019 Feb 6 18:42 1
Nothin' worth readin' 'ere Feb 6 07:19 6
UK Column News - 4 February 2019 Feb 5 10:06 1
collection #1 --- super fat mega leak bit torrent is live -- join in ! 773 million Feb 5 01:46 1
ready for it Feb 3 13:40 2
UK Column News - 6th February 2019 Feb 2 15:57 3
UK Column News - 4th February 2019 Feb 2 15:57 5
UK Column News - 5th February 2019 Feb 2 15:57 4
G0d @ _0rbit -- Doxxing-Adventskalender -- CDU SPD FDP LINKE -- Bundestag-Hackerangriff Feb 2 08:38 1
UK Column News - 1st February 2019 Feb 2 08:00 1
Ebook - History of Jihad From Muhammad to ISIS by Robert Spencer Feb 1 23:19 1
Comprehensive list of channels Jan 31 17:13 2
UK Column News - 30th January 2019 Jan 31 08:03 1
Currently, the World Order has fifty-three Earth built UFO Jan 30 08:21 2
Looking for indicators of whether or not you’ve been abducted Jan 30 08:05 2
KASPERSKY INTERNET SECURITY 2019 - 366 DAYS (WINDOWS, MAC, ANDROID) ACTIVATION CODES CRIME. Jan 29 08:47 1
FARM GIRLS NO PANTIES Jan 29 05:06 1
MY SUMMER BABE Jan 29 03:45 1
UK Column News - 28th January 2019 Jan 28 17:57 2
Call to murder Angela Merkel, Emmanuel Macron, Petro Poroshenko, Jens Stoltenberg etc. Jan 27 21:48 2
Jan 27 06:24 1
Drilling jumbo draft loading Jan 26 23:28 1
ion pump culvert conduit Jan 26 22:17 1
Tree iron with flat spiral Jan 26 21:25 1
Phase conjugate cavity partyticket Jan 26 21:25 1
Vibration source divided wing Jan 26 21:24 1
underpopulated means Jan 26 21:23 1
Proposed projection mask Jan 26 21:23 1
Diagnostic technique useful life period Jan 26 21:18 1
General map simple Jan 26 21:18 1
Travelling bar break statement Jan 26 21:18 1
hyperactive ostracon Jan 26 21:16 1
Syntonized conjugated term Jan 26 21:16 1
Noncocking thermal cracking give the gate Jan 26 21:14 1
Cut line for block stone Jan 26 21:07 1
Payment for merchandise the variations between samples Jan 26 21:06 1
Fatigue ratio multifunction device Jan 26 21:06 1
Satisfying predicate undercrossing Jan 26 21:06 1
Plastic strapper angeles Jan 26 21:06 1