[Cfrg] Standard rant on bit security (related to the pairings draft)
Watson Ladd <watsonbladd@gmail.com> Thu, 25 July 2019 20:58 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759781201DB for <cfrg@ietfa.amsl.com>; Thu, 25 Jul 2019 13:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ACKVVYf3Yqi for <cfrg@ietfa.amsl.com>; Thu, 25 Jul 2019 13:58:15 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C39B1201D1 for <cfrg@irtf.org>; Thu, 25 Jul 2019 13:58:15 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id v85so35497039lfa.6 for <cfrg@irtf.org>; Thu, 25 Jul 2019 13:58:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=wzWazGJVpCd663xwfW5AWAwzI/sYcZS6DkEO7HF2OMQ=; b=Cg7sUzbWAsg0CUmcDlz9LdPV98EHqlqzIsxn21vKUB8TDl2q1rB7t8XtJpf/FmmyEe vmtfp5lKKlXdi0iOOIQTQAxS0yyDFpYKHP9RcPXZWS0iMcMSICRBkGNdBarCfB66CVEd tpjf9cy6R7ZPifMT//QaV+GPIaTOVXgN6gGHEJA8eeH5oAvBeZunHQpKjkKqNQ1q5wuD wCZlwSO9f7LwBBf+Ncqf8nLtjuaFu1VAf0RfaSh50FiA3MDXqEcM4NMaZG7szfHdN//p R0toLwOY/HHWqZmeO5wXixNoddyxWWbW9QCpvT5NPdp381rSwkuVxkE5H/pB1ULoXfVa gMlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=wzWazGJVpCd663xwfW5AWAwzI/sYcZS6DkEO7HF2OMQ=; b=tJsQAyVCKD+B3M7rI171sgYT+nhNZTPrZqycAH9MWs2wxoYPRKMKOpTHgKczPPZaOF 7z2TK0/cNFnuzPDIwP/sHuvc9pFdCh9oAY90EZ9m507QAHyH7Z4YbU5w8d3ekJC+vRHi mrJgyIl9ch4Mr00wAUMaGaZCojHdkK7xuO3O+EYS4bpb4jFhAnLqReJCa/EelhjQxF81 zLg8E30PiJYS8gqlQ8YGRkffQrQoYeUY4y0w6R7qKwcraVtvR9jFrwLTxCd1mxvxcaY0 13UgLT8UwZBoAZ/xlm5nO/YC1Rme1oID7eA8OufP/XrCjQw1NzGP/5dU/6EkWzDCDUMz 1KXg==
X-Gm-Message-State: APjAAAXyU3pOoieYMKae6XpjaRlkmygD6NpQunYukPcU2C/P4RBSEbaB lLQ8cqZzcsLng9iOlDA72E4HabtUutblkI/R6+yRzeFz
X-Google-Smtp-Source: APXvYqwPTgJ/4e6MQd6pvNBNFdmzY/+Xi8Ry5SfBvXVfQWDnccIuTpY3RUMbx2/0zXJl64UTz3ibqXGgzn9QjWYkSGw=
X-Received: by 2002:ac2:51ab:: with SMTP id f11mr3316505lfk.55.1564088293273; Thu, 25 Jul 2019 13:58:13 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 25 Jul 2019 13:58:01 -0700
Message-ID: <CACsn0cminvui2H+r6S2FRszpN54rt5_8FbO_32TySHjfdJE_CQ@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Ay8f51rIMqFPix3JXlOK6ozpOcY>
Subject: [Cfrg] Standard rant on bit security (related to the pairings draft)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 20:58:18 -0000
Dear all, If you have already heard this rant, skip reading the email. Claims made that an algorithm A provides B bits of security are claims that ignore substantial real differences in the complexity of attacks. Pairing based curves present an excellent example of this. Suppose one wants to break AES-128, that is recover k from E_k(0). The obvious algorithm is to treat this as a search for a preimage: One grinds away, and multiple targets can be found quite simply. Each guess is simply a guess and the success probability is linear. Now let's break P256. Here the algorithm is the distinguished point algorithm, which does a random walk that varies by target. The complexity of attacking multiple keys is not amortized in the same way. The success probability is also quadratic in the runtime, vs. linear. For NFS the amortization is even stronger. The NFS algorithm works by computing relations among the discrete logarithms of a factor base. This work does not need to be repeated per target, while the work of relating the unknown element to a factor base does depend on the target, but an attacker can enlarge the factor base to reduce it. At the same time NFS has a communication intensive linear algebra step, and for discrete logarithms this step is more expensive then for factoring. This cannot be equated to either of the ones above. The complexity of the NFS also depends on estimates of the smoothness probability. In this setting it is the finite field, so I think smoothness probability is easily estimated (Riemann hypothesis is known) but for some fields the constants are only know heuristically with errors after the first few digits. Simple descriptions of the time complexity as bit lengths ignore the impact of communication and multitarget effects, and completely ignores success probability. It omits often constant factors that can have significant implications for actual security and the heuristics that need to go into the runtime of many algorithms in number theory. It sacrifices big differences in multiuser security on the alter of simplicity. Lastly P384 is a dog: a different prime shape might have lead to more usage. I don't think one can draw broader conclusions from it's lack of usage. Sincerely, Watson Ladd