From: nobody on
i read on wiki that the gost hash was broke and was wondering if someone
could explain at what level? like to a newbie, is it now worthless or is
the attack minor? any opinions on the hash or the actually algorithm
welcomed.

From: Francois Grieu on
On 08/07/2010 01:29, it was asked:
> i read on wiki that the gost hash was broke and was wondering if someone
> could explain at what level? like to a newbie, is it now worthless or is
> the attack minor? any opinions on the hash or the actually algorithm
> welcomed.

The best cryptanalysis of the GOST 34.11-94 hash that I could locate are

Florian Mendel, Norbert Pramstaller, Christian Rechberger - "A (Second)
Preimage Attack on the GOST Hash Function" - FSE 2008

Florian Mendel, Norbert Pramstaller, Christian Rechberger, Marcin
Kontak, Janusz Szmidt - "Cryptanalysis of the GOST Hash Function" -
CRYPTO 2008

both available at
<http://www.iaik.tugraz.at/content/about_iaik/people/mendel_florian/>

The attacks do break the algorithm, i nthe sense that they are
significantly faster than brute force would be: 2^128 compression
functions for collision, 2^256 for preimage.

These attacks are theoretical : the cost of the "fastest" one if about
2^105 evaluations of the compression function (and only aims at finding
a collision, not a preimage). This is about a million million times more
than the biggest attack on hashes I know to have ever been attempted in
practice. You can rest assured that direct implementation of these
attacks is infeasible for a very long time, and is not a practical
threat in the foreseeable future.

However, attacks only get better. I would not bet the house that Florian
Mendel will be surpassed significantly, but it is perfectly conceivable
that much better attacks could appear.


Francois Grieu