Difference between revisions of "Daniel J. Bernstein and Tanja Lange"

From ESC2013
Jump to: navigation, search
(Created page with "There is a flaw in the standard security definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security leve...")
 
 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
security level to each of these primitives and protocols. This flaw undermines security evaluations and  
 
security level to each of these primitives and protocols. This flaw undermines security evaluations and  
 
comparisons throughout the literature.  
 
comparisons throughout the literature.  
 +
 
We have written a paper [http://eprint.iacr.org/2012/318] analyzing the magnitude of the flaw in detail,  
 
We have written a paper [http://eprint.iacr.org/2012/318] analyzing the magnitude of the flaw in detail,  
showing how it varies across cryptosystems and across cost metrics, and discussesing several strategies  
+
showing how it varies across cryptosystems and across cost metrics, and discussing several strategies  
for fixing the definitions. This talk will present some highlights.
+
for fixing the definitions. We also wrote [http://eprint.iacr.org/2012/458] to show how small DLPs can be
 +
solved more efficiently (with non-free precomputation) if there are many of them.
 +
 
 +
This talk will present some highlights.
 +
 
 +
Slides:
 +
* [[Media:20130115.pdf‎|standard version]]
 +
* [[Media:20130115-twopage.pdf‎|two-page version]]

Latest revision as of 04:26, 15 January 2013

There is a flaw in the standard security definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower security level to each of these primitives and protocols. This flaw undermines security evaluations and comparisons throughout the literature.

We have written a paper [1] analyzing the magnitude of the flaw in detail, showing how it varies across cryptosystems and across cost metrics, and discussing several strategies for fixing the definitions. We also wrote [2] to show how small DLPs can be solved more efficiently (with non-free precomputation) if there are many of them.

This talk will present some highlights.

Slides: