Daniel J. Bernstein and Tanja Lange

From ESC2013
Revision as of 01:09, 15 January 2013 by Guest (talk | contribs)
Jump to: navigation, search

There is a flaw in the standard security definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower security level to each of these primitives and protocols. This flaw undermines security evaluations and comparisons throughout the literature.

We have written a paper [1] analyzing the magnitude of the flaw in detail, showing how it varies across cryptosystems and across cost metrics, and discussesing several strategies for fixing the definitions. We also wrote [2] to show how small DLPs can be solved more efficiently (with non-free precomputation) if there are many of them.

This talk will present some highlights.