> We obtain some 50 distinct attacks faster than
brute force on the full 32-round GOST and we provide five nearly practical attacks on two major 128-bit variants of GOST
Usually statements such as "This paper has some serious significance both scientific and historical." (quoted from the article) are a flag of the exact opposite.
I would need more context from a more trusted source to inform my own opinion on this work.
Well, it's a break of the national symmetric encryption cypher of Russia. Changing standards like that which are used in equipment in the field is expensive. A LOT of military equipment is going to have to be changed, and if they're using ASICs as accelerators in it they'll have to change the hardware. Some of their equipment will use software only, but quite a lot likely accelerates it with hardware.
So it's certainly of historical importance. It's not often that a math paper spurs millions of dollars of changes. As for scientific importance, it's a near-practical break in a well-used cryptosystem. The breaking of DES was a similar event, and that's considered of scientific importance by the cryptography community. This isn't quite as strong a break, as building a cracker would be quite expensive, 2^101 is quite a few operations, but it's not so far outside the realm of possibility as to be unthinkable.
The author of the paper follows this quote with a rant against the referees for scientific journals and conferences. Perhaps I should have quoted that. There must be a reason why Lamport, Knuth, etc. don't write in this style. But, their work is considered significant and historical. It makes me suspect that this is either not significant (why isn't this making headlines like Heartbleed?) or isn't novel, or isn't practical (really), or some combination of the above. If these claims were as significant as claimed, then they would certainly be greeted as such.
Further, from the IACR website:
Papers have been placed here by the authors and did not undergo any refereeing process other than verifying that the work seems to be within the scope of cryptology and meets some minimal acceptance criteria and publishing conditions.
Finally, a quick perusal of Google scholar makes their work look at least somewhat non-unique, but again, I am not sure. Let me repeat, it is just their style which set off a small alarm bell.
DES : - (Matsui, M. (1994, January). Linear cryptanalysis method for DES cipher. In Advances in Cryptology—EUROCRYPT’93 (pp. 386-397). Springer Berlin Heidelberg.)
- Biham, E., & Shamir, A. (1991). Differential cryptanalysis of DES-like cryptosystems. Journal of CRYPTOLOGY, 4(1), 3-72.
AES : - Billet, O., Gilbert, H., & Ech-Chatbi, C. (2005, January). Cryptanalysis of a white box AES implementation. In Selected Areas in Cryptography (pp. 227-240). Springer Berlin Heidelberg.
- Bogdanov, A., Khovratovich, D., & Rechberger, C. (2011). Biclique cryptanalysis of the full AES. In Advances in Cryptology–ASIACRYPT 2011 (pp. 344-371). Springer Berlin Heidelberg.
Billet attacks a white-box construction, not AES itself. White box cryptography involves allowing the attacker access to both the algorithm and the key; you can think of it as a mathematical abstraction of a tamper-proof smartcard. It's not a cryptanalysis of AES.
The biclique attack on AES looks a lot more impractical than the results on GOST... Looks like O(2^124) time complexity and a stupendous amount of data if I scanned the paper properly....
> We obtain some 50 distinct attacks faster than brute force on the full 32-round GOST and we provide five nearly practical attacks on two major 128-bit variants of GOST