On Apr 27, 2009, at 8:02 AM, Christian Rechberger wrote:
Quoting Paul Hoffman <paul.hoffman at vpnc.org>:At 6:00 AM -0700 4/27/09, David McGrew wrote:some other important questions: how widely reviewed is that algorithm?I believe that Ólafur would like CFRG to determine the answer to that question. The expertise for "how widely reviewed" is in this group, not in DNSEXT.What are the claimed security levels?And herein lies a problem. The GOST specs are in Russian. I do not believe that there are any official English translations, and that the unofficial ones are expensive. (I would love to be wrong about either of those statements.) I have Cc' the author of the relevant draft on this message so he can help.Where is guidance on how to use the algorithm?In the draft itself: <http://www.ietf.org/internet-drafts/draft-dolmatov-dnsext-dnssec-gost-00.txt >
The draft doesn't have a "security considerations" section. There is no guidance other than key size and hash size, and neither the draft nor RFC 4357 describe what the targeted security level is, or describe the attacks mentioned by Christian below. The Internet community deserves more information from its standards track documents.
It appears that the specification for the GOST R 34.11-94 hash function is not easily accessible. Is is only referenced by RFC 4491, and is not defined there. If there really is an expectation that the hash will be widely used on the Internet, then there should be an RFC that specifies how to implement the hash, as RFC 3394 did for the NIST Key Wrap algorithm, for instance.
If I'm missing some source of information, I hope that someone will point it out,
David
I cannot find any references to it in the peer-reviewed literature. Perhaps I am not using the right keyword or something.Here are a few:<http://www.iacr.org/conferences/asiacrypt2005/rump/Dunkelman_AC05_Rump.pdf ><https://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=80200&pCurrPk=36649 ><https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=81262 >If anyone on the CFRG list has reviewed the algorithm, it would be great if we could hear from them.Yes, please!I'm one of the authors of the above mentioned papers.To cut a long story short: We looked at the alleged GOST hash (using a unofficial translations and help from people knowing Russian), and found both collision and preimage attacks, suggesting that the GOST hash function is less secure than one would expect from a "good" hash function.Note that none of the attacks we propose is practical. Still, no such attacks are known on any of the SHA-2 hash functions.Best regards, Christian _______________________________________________ Cfrg mailing list Cfrg at irtf.org http://www.irtf.org/mailman/listinfo/cfrg