[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [Cfrg] Any update on GOST or more generally?
From: Stephen Farrell <stephen.farrell () cs ! tcd ! ie>
Date: 2012-10-21 23:41:32
Message-ID: 5084882C.3030507 () cs ! tcd ! ie
[Download RAW message or body]
Hi Jon,
See below...
On 10/22/2012 12:19 AM, Jon Callas wrote:
>
> On Oct 21, 2012, at 2:08 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>
> >
> > Hiya,
> >
> > Someone asked me about [1] and whether the IETF ought make
> > any changes as a result.
> >
> > My initial reaction was that 2^172 is still more than 3DES
> > but its probably worth asking here.
> >
> > Any CFRG thoughts on this development or more generally if
> > there are changes with other cryptographic functions
> > are welcome.
> >
> > No need for an I-D, some mail is fine and we could take it
> > from there if there's something to do.
> >
> > Thanks,
> > S.
> >
> > [1] http://eprint.iacr.org/2012/138
>
> What sort of changes?
Dunno. Depends on what's the right thing to do.
I guess that could vary from 'do nothing' up to 'write an
I-D saying "<foo> considered harmful" that also deprecates
some code points in various IANA registries.'
[...good stuff snipped, though more is welcome...]
> Courtois also notes that there's been a lot of cryptanalysis on it since 2010. If \
> you felt that GOST was dodgy, you now have more reasons. If you want it as an \
> alternative to AES, you can quote <http://eprint.iacr.org/2009/374> which has a \
> 2^119 complexity attack against AES-256, making it arguably weaker than AES-128. \
> (Interestingly, the same paper gives an attack against AES-192 with 2^176 \
> complexity and the same reasoning would have it stronger than either GOST or other \
> AES key sizes). The arguments for using GOST as an alternative to AES still stand, \
> if that's what floats your boat. And as I noted above, if you are doing business in \
> Russia, this is all irrelevant as you just have to use GOST.
I'd love to know if someone's actually measured how much
these national/vanity ciphersuites are actually used in
IETF protocols.
S.
> All of this is reason for us in the IETF to take note and just keep paying \
> attention. If we're going to use this as a reason to advise for or against GOST, we \
> really need to consider the BDKKS attack on large-key AES. None of these attacks \
> are practical, though, and anything with a real 128 bits of security is likely good \
> for the next couple-three decades. Most of us pick ciphers by a combination of \
> security SWAG and fiat. This might change one's SWAG, but it doesn't change the \
> fiat.
> Jon
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic