IETF Logo Mail Archive

Re: [Cfrg] Task looming over the CFRG

Watson Ladd <watsonbladd@gmail.com> Tue, 06 May 2014 22:19 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B5A21A0643 for <cfrg@ietfa.amsl.com>; Tue, 6 May 2014 15:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMXdDBU4OsJB for <cfrg@ietfa.amsl.com>; Tue, 6 May 2014 15:19:55 -0700 (PDT)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) by ietfa.amsl.com (Postfix) with ESMTP id 175E91A0601 for <cfrg@irtf.org>; Tue, 6 May 2014 15:19:55 -0700 (PDT)
Received: by mail-yk0-f176.google.com with SMTP id q9so131404ykb.7 for <cfrg@irtf.org>; Tue, 06 May 2014 15:19:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fNY9kEUFFNNWfuV0S6hv5MkAW6mjkJPW/8GR7RgmiRE=; b=zMXFV/L3Ariqkagcbx7G4QLY4QeiqL9wl7UoqlyPbWFm8CxcKA1oONdrwSITjcz+tS lZUR6CTcLNdR4QNTtuI30LAgbp+1dFhHxRlzMxTtryFWRhi/Fx+2swYQh5YqSp1/217c 4PuEPLeDc6wi7QqULDdhjj3aPlfF2GgCJf+iWNW/ONnRF7Qj7b6wztE/2VTQ+rj9we4O n/j2aKV/BVuY/ZBSmkmbdA0qw+jqXCQKdWXRDhH/VwYtq0eJtNKtwoCNJ2cydOiFD2tr 6vmqEFX/Qx4CvWI8MM9BhVexEqQtunl+/H28MBlzBScG6VtYeDxLSV68RY4EB373cKDt DsjA==
MIME-Version: 1.0
X-Received: by 10.236.134.71 with SMTP id r47mr62097161yhi.83.1399414791095; Tue, 06 May 2014 15:19:51 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 6 May 2014 15:19:51 -0700 (PDT)
In-Reply-To: <10B251F2-C589-4AFD-BAD8-9AA1B11E68E6@ll.mit.edu>
References: <3C4AAD4B5304AB44A6BA85173B4675CABAA4022F@MSMR-GH1-UEA03.corp.nsa.gov> <E98B42D5-610C-4532-B765-5819A35A456C@shiftleft.org> <3C4AAD4B5304AB44A6BA85173B4675CABAA404E9@MSMR-GH1-UEA03.corp.nsa.gov> <B8586319-F1E6-4CA6-B70E-4D6153DC19A5@shiftleft.org> <10B251F2-C589-4AFD-BAD8-9AA1B11E68E6@ll.mit.edu>
Date: Tue, 06 May 2014 15:19:51 -0700
Message-ID: <CACsn0cnGGvtq3bVjm_YWVdP_Q-CxJBfnVU6pOjMiOMFx9S9vXg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6e_p3ElqI9A-7BpTAgpziuaAs8Y
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Task looming over the CFRG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 22:19:57 -0000

On Mon, May 5, 2014 at 2:34 PM, Blumenthal, Uri - 0668 - MITLL
<uri@ll.mit.edu> wrote:
> IMHO, the logic/reason of matching security levels of the cryptographic
> algorithms employed in a protocol suite is fairly obvious and does not need
> an explicit justification. There might be a reason to have the
> key-protecting/key-wrapping algorithm a bit (no pun intended! :) stronger
> than the one that uses that key. I can't think of a reason to protect a key
> with a weaker algorithm than the key-using one.
>
> You observed that strength-matching was not done with RSA (considering the
> key sizes involved, and where those keys may need to be stored and
> processed, one possible reason for that mismatch pops up automatically :).
>
> More surprisingly, matching was not done with ECC either. We don't have an
> explanation for this design choice. Copying designs we don't understand (or
> do we?) does not sound like a good recipe.

I'm not sure if everyone knows this, but given 2^64 AES-128
encryptions of say 0, under different keys, and 2^64 steps, I can
recover one of the keys with probability 1/2 by a trivial application
of the birthday bound.

There are variants of this attack that work with significantly less
data: http://cr.yp.to/snuffle/bruteforce-20050425.pdf explains this
well. The headline result is 2^10 input keys, 2^86 calculation, and
probability close to 1 of finding one of the keys. I can think of many
numbers to describe this situation, but 2^128 isn't one of them.

For discrete log based systems this phenomenon doesn't happen: I
cannot find one discrete log among many in time much faster than to
find a particular discrete log. That's why ChaCha (which uses 256 bit
keys) plus Curve25519 makes sense: an attacker who wants to break such
a combination has to take a discrete log over a group of size roughly
128 or do at least 2^128 trial encryptions, even if given a ludicrous
number of keys to pick from.

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email