Daniel J. Bernstein and Tanja Lange

From ESC2013
Jump to: navigation, search

There is a flaw in the standard security definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower security level to each of these primitives and protocols. This flaw undermines security evaluations and comparisons throughout the literature.

We have written a paper [1] analyzing the magnitude of the flaw in detail, showing how it varies across cryptosystems and across cost metrics, and discussing several strategies for fixing the definitions. We also wrote [2] to show how small DLPs can be solved more efficiently (with non-free precomputation) if there are many of them.

This talk will present some highlights.

Slides: