Given the precedent that has been established for removing the SPECK cipher from the kernel, I wonder if we should be removing Streebog on the same basis, in light of the following work: https://who.paris.inria.fr/Leo.Perrin/pi.html https://tosc.iacr.org/index.php/ToSC/article/view/7405 Regards, - Ted ----------- >From the Cryptography mailing list on metzdowd.com: From: "perrin.leo@xxxxxxxxx" <perrin.leo@xxxxxxxxx> Subject: [Cryptography] New Results on the Russian S-box Hello everyone, I have recently sent an e-mail to the CFRG mailing list about my results on the S-box shared by both of the latest Russian standards in symmetric crypto and I have been told that it might interest the subscribers of this mailing list. In a paper that I am about to present at the Fast Software Encryption conference, I describe what I claim to be the structure used by the S-box of the hash function Streebog and the block cipher Kuznyechik. Their authors never disclosed their design process---and in fact claimed that it was generated randomly. I established that it is not the case. More worryingly, the structure they used has a very strong algebraic structure which, in my opinion, demands a renewed security analysis in its light. Overall, I would not recommend using these algorithms until their designers have provided satisfactory explanations about their S-box choice.
