IETF Logo Mail Archive

Re: [Cfrg] matching AES security

Benjamin Black <b@b3k.us> Wed, 30 July 2014 17:40 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E46D1A0330 for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 10:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nc12hnK3hVig for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 10:40:08 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4C51A02A3 for <cfrg@irtf.org>; Wed, 30 Jul 2014 10:40:07 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id hi2so2770126wib.11 for <cfrg@irtf.org>; Wed, 30 Jul 2014 10:40:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=AdOIlZFcbI7kVzksiGpGbSmpSrsr3ZSBPwxA+lc8alA=; b=NHk6xGuDIua0PYMhU6UinM9tEZsy/RH2YEBKrLnkEUlgY+sFH8Gz+p5LXCpAciHJtb R0unBDS5B8ehAIwCnq848WBfrwZguGoQQM1gRvqri4pUEYtaP1LMsVMNwo4SBerlibxp M7Jdy7DyVWVuODhCDHsroztldnl9HDC7oC0mGGFW+2v3ve1S23X4nEy8RvL3PGOPl/uI juGJmvlirYGnH56PtcrIN0jef73Kz9boexOY7qVoaOZXHhWCCuCKRg5kaHU6qjOeyFjb ftwybBXeKlZSOJCpfC75PdK00ptNdZXPSCZFC76TG+jvOObUCzR9bPRxOQpo284vz4dE vTFg==
X-Gm-Message-State: ALoCoQmSh+TpD3lnhWDTsRmQVgEJAitEyWyykTxa8JBhJ/JoF3zMq1wTkgy+46VlL/S9iZ15YO6K
X-Received: by 10.180.21.208 with SMTP id x16mr8068675wie.73.1406742006084; Wed, 30 Jul 2014 10:40:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.44.138 with HTTP; Wed, 30 Jul 2014 10:39:46 -0700 (PDT)
In-Reply-To: <20140730123336.29011.qmail@cr.yp.to>
References: <20140730123336.29011.qmail@cr.yp.to>
From: Benjamin Black <b@b3k.us>
Date: Wed, 30 Jul 2014 10:39:46 -0700
Message-ID: <CA+Vbu7wwSUOJgHmGZu3ii1sn9ZfmqsWUHimYVd3wNX=RgxbaBg@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="047d7bb70cbe907a2904ff6ca5ae"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/HCEQjJAF6Y5D5ytlWJQXgfgaXXo
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 17:40:12 -0000

AES is not the only symmetric cipher in use today and we can expect new
ciphers to supersede it during the service life of the new curves under
discussion. The goal is matching security levels of the suite components as
designed, not adjusting things based on attacks that emerge against a given
component over its service life.


b


On Wed, Jul 30, 2014 at 5:33 AM, D. J. Bernstein <djb@cr.yp.to> wrote:

> Blumenthal, Uri - 0668 - MITLL writes:
> > IMHO, the logic/reason of matching security levels of the
> > cryptographic algorithms employed in a protocol suite is fairly
> > obvious and does not need an explicit justification.
>
> Let's think through what "matching security levels" actually means for
> matching elliptic curves with AES.
>
> In the foreseeable future there will be billions of devices that users
> are relying on for cryptographic computations, and it's easy to imagine
> that a typical device will use at least one new key every minute, i.e.,
> a million new keys within two years. That's more than 2^50 keys overall.
>
> There are standard attacks that break _all_ of 2^50 AES-128 keys using a
> _total_ of 2^128 easy computations. Even worse, there are standard
> attacks that find _at least one_ of the keys using just 2^78 easy
> computations, a feasible computation today.
>
> These attacks assume that the attacker sees ciphertext for, e.g., an
> all-zero block encrypted under all of the keys. Sometimes protocols
> randomize their blocks to try to stop these attacks---but putting
> complications into protocols to compensate for a cipher's deficient
> security is _not_ a smart way to design a cryptographic system. For the
> past decade I've been recommending moving to larger cipher keys,
> precisely because of this attack against 128-bit keys.
>
> For comparison, if we're talking about Curve25519 keys rather than
> AES-128 keys, the fastest attacks to find one out of 2^50 keys are as
> slow as the fastest attack to find a single targeted key. (This isn't
> just an observation about known attacks; it's a theorem about _all_
> attacks, following easily from the "random self-reducibility" of
> Curve25519 DL, a very strong type of "worst-case-to-average-case
> reduction".) Exactly the same comment applies to any other curve---I'm
> using Curve25519 as a concrete illustration but don't mean to suggest
> that it's special in this respect.
>
> A standard batching mechanism (1999 Escott--Sager--Selkirk--Tsapakidis,
> also crediting Silverman--Stapleton; for further analysis see 2001
> Kuhn--Struik, 2004 Hitchcock--Montague--Carter--Dawson, 2006 Bernstein,
> 2012 Lee--Cheon--Hong, and 2012 Bernstein--Lange) finds all of the 2^50
> Curve25519 keys more quickly than 2^50 separate DL computations, but
> still takes time 2^150, millions of times more difficult than breaking
> an AES-128 key.
>
> If you scale down to more plausible amounts of future computation, such
> as 2^100, then the comparison becomes even more lopsided. The attacker
> is going to find millions of the users' AES-128 keys, but has chance
> only about 1/2^50 of finding even _one_ of the Curve25519 keys.
>
> > What benefit do you derive from including a stronger
> > algorithm in a chain made of weaker algorithms?
>
> Do you realize that you're arguing _against_ mixing AES-256 with a curve
> as large as 512 bits?
>
> In a world of 2^50 AES-256 keys, there's an attack that already has a
> high probability of finding a key in time "only" 2^206. This is nicely
> matched with the cost of breaking Curve41417. (I admit that Curve41417
> is slightly more secure when the inner-loop cost is taken into account,
> but let's not quibble.) What benefit do you think you're obtaining from
> larger curves, such as NIST P-521 or E-521 or Microsoft's 512-bit curve?
>
> The argument that AES-256 "matches" 512-bit ECC is supported only by an
> oversimplified analysis of single-key attacks. Multiple-key attacks are
> much faster for AES-256, and are obviously preferable for the attacker;
> inferior attacks make no sense as a basis for evaluating security. If
> you actually want a cipher that doesn't compromise the quantitative
> security level of 512-bit ECC then you need to go far beyond 256-bit
> cipher keys.
>
> The point I'm making here is orthogonal to
>
>    * Adam's point that comparing 2^200 computation to 2^250 computation
>      is meaningless---we'll never do such big computations (see
>      https://www.imperialviolet.org/2014/05/25/strengthmatching.html)
>
>    * Mike's point that what actually matters up at this level is the
>      risk of breakthroughs---e.g., quantum computers running Shor;
>
>    * the point that several people have made about the low cost of
>      moving from 192-bit ciphers to 256-bit ciphers (and the high cost
>      of supporting an excessive spectrum of options)---so usage of
>      256-bit ciphers doesn't imply that users want 2^256 security;
>
>    * the point that it's already common practice to combine, e.g.,
>      RSA-2048 with AES-128 and sometimes even AES-256, illustrating that
>      the users' performance constraints are the biggest issue;
>
> and various other arguments against the whole concept of "matching
> security levels". What I'm saying is that if you _do_ want to "match
> security levels"---for example, Joe Salowey wrote
>
>    TLS supports 256-bit symmetric key ciphers and we want to have
>    recommended curves to match this key strength
>
> ---then it's a huge quantitative error to pair AES-256 with 512-bit ECC.
> All of the attack costs that I'm describing are thoroughly established
> by the public cryptanalytic literature; I'm not aware of any dispute.
>
> Perhaps CFRG should issue a warning about AES-128 being feasible to
> break under plausible assumptions. A reasonable response to this threat
> is to move to a 256-bit (or merely 192-bit, but see above regarding
> options) cipher with Curve25519 (or Microsoft's 256-bit curve); this
> would push all known attacks above 2^120, ample protection for the
> foreseeable future. A 256-bit cipher with Curve41417 would push all
> known attacks above 2^200.
>
> ---Dan
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.30.2 | Report a Bug | By Email | System Status