I don't know the details of GOST but it is often called the "Russian
DES" and we certainly wouldn't want to add a DES-strength cipher now.
GOST has a much larger key so it is not quite the same but overall it
seems like an old cipher whose time has passed.
You're absolutely right. Aside from the longer key, more rounds, and linear
and differential cryptanalysis resistence, it has many disadventages even
compared to DES. Some of these includes:
* key schedule virtually non-existent (subject to related key attacks)
* very simple round function with cyclic linear shift (smaller avalanche
effect)
* S-boxes' size is too short, and criteria for their choosing is not available
(something to think about in connection with "A Family of Trapdoor Ciphers" by
Vincent Rijmen and Bart Preenel)
* weak keys and short cycles exists
A few years ago it was theoretically estimated that an effective strength of
GOST cipher is approximately 2^56, that is about the same value as DES's. Not
quite what we need by today's standards. And not quite what has been always
officially supported by OpenPGP.
Respectfully yours,
Vladislav "SATtva" Miller
http://www.pgpru.com