[oss-gost-crypto] Fwd: Should we consider removing Streebog from the Linux Kernel?
Vitaly Chikunov
vt at altlinux.org
Mon Mar 25 07:51:31 MSK 2019
FYI.
----- Forwarded message from Theodore Ts'o <tytso at mit.edu> -----
Date: Mon, 25 Mar 2019 00:45:50 -0400
From: Theodore Ts'o <tytso at mit.edu>
To: "Jason A. Donenfeld" <Jason at zx2c4.com>, herbert at gondor.apana.org.au, Vitaly Chikunov <vt at altlinux.org>, linux-crypto at vger.kernel.org
Subject: Should we consider removing Streebog from the Linux Kernel?
User-Agent: Mutt/1.10.1 (2018-07-13)
Given the precedent that has been established for removing the SPECK
cipher from the kernel, I wonder if we should be removing Streebog on
the same basis, in light of the following work:
https://who.paris.inria.fr/Leo.Perrin/pi.html
https://tosc.iacr.org/index.php/ToSC/article/view/7405
Regards,
- Ted
-----------
>From the Cryptography mailing list on metzdowd.com:
From: "perrin.leo at gmail.com" <perrin.leo at gmail.com>
Subject: [Cryptography] New Results on the Russian S-box
Hello everyone,
I have recently sent an e-mail to the CFRG mailing list about my results
on the S-box shared by both of the latest Russian standards in symmetric
crypto and I have been told that it might interest the subscribers of
this mailing list.
In a paper that I am about to present at the Fast Software Encryption
conference, I describe what I claim to be the structure used by the
S-box of the hash function Streebog and the block cipher Kuznyechik.
Their authors never disclosed their design process---and in fact claimed
that it was generated randomly. I established that it is not the case.
More worryingly, the structure they used has a very strong algebraic
structure which, in my opinion, demands a renewed security analysis in
its light. Overall, I would not recommend using these algorithms until
their designers have provided satisfactory explanations about their
S-box choice.
----- End forwarded message -----
More information about the oss-gost-crypto
mailing list