Paul Hoffman пишет:
For example, there is already a published attack on the GOST hash function that does not exist in SHA-256 and SHA-512.
That "attack" lessens the complexity of building of the collision from
2**128 operations to 2**109 operations (infinitesimal part of overall
complexity) and demands padding the meaningful message with several
kilobytes of additional binary data, which is impossible for any message
with fixed format.
The GOST algorithms have had much less cryptographic review than other algorithms.
...have had much less _published_ cryptographic review... I would say. ;)
These algorithms were thoroughly and intensively reviewed by specialists
throughout the world during all years of their existence.
The fact that these algorithms are used without changes for 20, 15 and
10 years respectively shows that these reviews were not successful.
If that attack becomes practical, an attacker can create signatures using GOST
that he/she could not create in RSA/SHA-256 or RSA/SHA-512.
That "attack" cannot become practical and you know that as well as
everyone who works with cryptography.
dol@
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf