IETF Logo Mail Archive

Re: [Cfrg] matching AES security

"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Wed, 30 July 2014 17:50 UTC

Return-Path: <prvs=32887b111f=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4C91A01C5 for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 10:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cH1M98ZLfp5g for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 10:50:29 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 763C21A01AC for <cfrg@irtf.org>; Wed, 30 Jul 2014 10:50:29 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s6UHmsNN025778; Wed, 30 Jul 2014 13:50:17 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] matching AES security
Thread-Index: AQHPq/wCacsPipZEQE6PjxUstHqztJu45RiA
Date: Wed, 30 Jul 2014 17:49:02 +0000
Message-ID: <CFFE99A0.18226%uri@ll.mit.edu>
References: <20140730123336.29011.qmail@cr.yp.to>
In-Reply-To: <20140730123336.29011.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3489572935_10671884"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.14, 0.0.0000 definitions=2014-07-30_07:2014-07-30,2014-07-30,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1407300210
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/9fWKP9cP56azLu-0pK-5_KsFPDA
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 17:50:33 -0000

On 7/30/14 8:33 , "D. J. Bernstein" <djb@cr.yp.to> wrote:

>Blumenthal, Uri - 0668 - MITLL writes:
>> IMHO, the logic/reason of matching security levels of the
>> cryptographic algorithms employed in a protocol suite is fairly
>> obvious and does not need an explicit justification.
>
>Let's think through what "matching security levels" actually means for
>matching elliptic curves with AES.

Sure.

>In the foreseeable future there will be billions of devices that users
>are relying on for cryptographic computations, and it's easy to imagine
>that a typical device will use at least one new key every minute, i.e.,
>a million new keys within two years. That's more than 2^50 keys overall.

This does not appear realistic. But I find the following more interesting:

>There are standard attacks that break _all_ of 2^50 AES-128 keys using a
>_total_ of 2^128 easy computations. Even worse, there are standard
>attacks that find _at least one_ of the keys using just 2^78 easy
>computations, a feasible computation today.

Could you please point me at a decent reference/description of this attack?

>These attacks assume that the attacker sees

[And can identify as such]

>ciphertext for, e.g., an all-zero block encrypted under all of the keys.

You are saying that there has to be _the same_ known plaintext pair for
_all_ of these 2^50 keys in order for the attack to work? And it takes
2^128 computations?

What happens if there's fewer keys than 2^50? What happens if you only
have probable plaintext? What happens if you have known plaintext pairs
but they differ across the 2^N keys?


>Sometimes protocols randomize their blocks to try to stop these
>attacks---but putting
>complications into protocols to compensate for a cipher's deficient
>security is _not_ a smart way to design a cryptographic system. For the
>past decade I've been recommending moving to larger cipher keys,
>precisely because of this attack against 128-bit keys.

You have a point. But let's evaluate/discuss this attack (its basics,
costs, applicability, etc) before figuring out costs of defending against
it.

>The argument that AES-256 "matches" 512-bit ECC is supported only by an
>oversimplified analysis of single-key attacks.

Which is what most people are concerned about, and IMHO justly so. But
let's discuss.

>Multiple-key attacks are
>much faster for AES-256, and are obviously preferable for the attacker;
>.......................

The question is whether they are plausible and/or feasible.


>All of the attack costs that I'm describing are thoroughly established
>by the public cryptanalytic literature; I'm not aware of any dispute.

"Multiple-key attacks" reference please?


>Perhaps CFRG should issue a warning about AES-128 being feasible to
>break under plausible assumptions.

I'd like to get a better understanding of both the attacks and the
assumptions. Probably the entire group (CFRG) should evaluate their
plausibility.

TNX!

v2.37.1 | Report a Bug | By Email | System Status