Difference between revisions of "Daniel J. Bernstein and Tanja Lange"

From ESC2013
Jump to: navigation, search
Line 1: Line 1:
There is a flaw in the standard security definitions used in the literature on provable concrete security.
+
There is a flaw in the standard sec urity definitions used in the literature on provable concrete security.
 
The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256  
 
The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256  
 
elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower  
 
elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower  
Line 11: Line 11:
  
 
This talk will present some highlights.
 
This talk will present some highlights.
 +
 +
Slides:
 +
* [[Media:20130115.pdf‎|standard version]]
 +
* [[Media:20130115-twopage.pdf‎|two-page version]]

Revision as of 04:24, 15 January 2013

There is a flaw in the standard sec urity definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower security level to each of these primitives and protocols. This flaw undermines security evaluations and comparisons throughout the literature.

We have written a paper [1] analyzing the magnitude of the flaw in detail, showing how it varies across cryptosystems and across cost metrics, and discussesing several strategies for fixing the definitions. We also wrote [2] to show how small DLPs can be solved more efficiently (with non-free precomputation) if there are many of them.

This talk will present some highlights.

Slides: