IETF Logo Mail Archive

Re: [Cfrg] matching AES security

Tanja Lange <tanja@hyperelliptic.org> Wed, 30 July 2014 16:34 UTC

Return-Path: <tanja@hyperelliptic.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F8C1A00D8 for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 09:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zBh8Nj9tLwKO for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 09:34:43 -0700 (PDT)
Received: from mace.cs.uic.edu (mace.cs.uic.edu [131.193.32.224]) by ietfa.amsl.com (Postfix) with SMTP id A9C0C1A0084 for <cfrg@irtf.org>; Wed, 30 Jul 2014 09:34:42 -0700 (PDT)
Received: (qmail 7926 invoked from network); 30 Jul 2014 16:34:41 -0000
Received: from unknown (HELO hyperelliptic.org) (131.155.71.33) by mace.cs.uic.edu with SMTP; 30 Jul 2014 16:34:41 -0000
Received: (qmail 7178 invoked by uid 1000); 30 Jul 2014 16:34:09 -0000
Date: Wed, 30 Jul 2014 18:34:09 +0200
From: Tanja Lange <tanja@hyperelliptic.org>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <20140730163409.GH28679@cph.win.tue.nl>
References: <20140730123336.29011.qmail@cr.yp.to> <53D8FBDB.4060601@htt-consult.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <53D8FBDB.4060601@htt-consult.com>
User-Agent: Mutt/1.5.11
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/5jZq_ChGuGytgwb5R29UpamH71Q
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 16:34:45 -0000

Dear Bob,
> In the typical devices I work with there will be at best one ECDHE 
> exchange per day. Sometimes only once per month. (one message/5min = 312 
> short messages/day to protect with AES-CCM or GCM). (we are working on 
> changing once per life of sensor)
> 
> Now if you look at the server side that is receiving messages from 
> 10,000 fielded sensors and thus has 10,000 ECDHE exchanges/day (or per 
> month), then the risk is a tad different?
>
For every ECDHE there is a fresh AES key, so for whatever number 
of key exchanges you assume there is also an AES target. This is on
top of long-term connections that update the AES keys and devices
that use only symmetric keys. If that number is less than 2^50 then
the worry about finding AES-128 keys by chance gets smaller, but 
in any case it's significantly easier than breaking the DLP on an
elliptic curve over a field of ~256 bits (which needs 2^128 group
operations, so more than 2^140 bit operations).
 
All the best
	Tanja

v2.23.0 | Report a Bug | By Email