Differential Cryptanalysis of GOST
There's a new paper, "Differential Cryptanalysis of GOST," that seems to make some fairly bold claims about the Russian symmetric cipher GOST being non-secure:
In this paper we show that GOST is NOT SECURE even against differential cryptanalysis (DC), or rather advanced attacks based on sets of differentials. We will revisit the idea by Schneier and Russian researchers who once claimed that GOST is very secure against DC, maybe for as few as 7 rounds out of 32. Yet two Japanese researchers were already able to break about 13 rounds. In this paper we show a first advanced differential attack faster than brute force on full 32-round GOST. This paper is just a sketch and a proof of concept. Better differential attacks on GOST will be published soon.
But how NOT SECURE is GOST? This paper says that
Our current attack requires 264 KP and allows to break full 32-round GOST in time of about 2223 GOST encryptions which is faster than brute force. This attack is just a sketch and a proof of concept. Better differential attacks on GOST with more detailed study and analysis will be published soon.
As I've mentioned before, 264 known GOST plaintexts takes about half the world's current storage capacity to hold, so any attack that's based on that assumption really isn't very feasible. And 2223 GOST encryptions is the sort of work that's extremely infeasible today and always will be. It's the level of work where Landauer's principle starts to become a significant constraint, telling you that you'd need more energy than several stars will ever put out to carry out the attack. The bottom line is that I'm still led to believe that GOST is secure enough to protect most forms of sensitive information.