Difference between revisions of "Daniel J. Bernstein and Tanja Lange"

From ESC2013
Jump to: navigation, search
 
Line 1: Line 1:
There is a flaw in the standard sec urity definitions used in the literature on provable concrete security.
+
There is a flaw in the standard security definitions used in the literature on provable concrete security.
 
The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256  
 
The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256  
 
elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower  
 
elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower  
Line 6: Line 6:
  
 
We have written a paper [http://eprint.iacr.org/2012/318] analyzing the magnitude of the flaw in detail,  
 
We have written a paper [http://eprint.iacr.org/2012/318] analyzing the magnitude of the flaw in detail,  
showing how it varies across cryptosystems and across cost metrics, and discussesing several strategies  
+
showing how it varies across cryptosystems and across cost metrics, and discussing several strategies  
 
for fixing the definitions. We also wrote [http://eprint.iacr.org/2012/458] to show how small DLPs can be
 
for fixing the definitions. We also wrote [http://eprint.iacr.org/2012/458] to show how small DLPs can be
 
solved more efficiently (with non-free precomputation) if there are many of them.
 
solved more efficiently (with non-free precomputation) if there are many of them.

Latest revision as of 04:26, 15 January 2013

There is a flaw in the standard security definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower security level to each of these primitives and protocols. This flaw undermines security evaluations and comparisons throughout the literature.

We have written a paper [1] analyzing the magnitude of the flaw in detail, showing how it varies across cryptosystems and across cost metrics, and discussing several strategies for fixing the definitions. We also wrote [2] to show how small DLPs can be solved more efficiently (with non-free precomputation) if there are many of them.

This talk will present some highlights.

Slides: