Re: [Cfrg] matching AES security
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Wed, 30 July 2014 21:28 UTC
Return-Path: <prvs=32887b111f=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC1411A049F for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 14:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmJz3oUecIpO for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 14:28:19 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 21BD71A05C0 for <cfrg@irtf.org>; Wed, 30 Jul 2014 14:28:18 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s6ULSHXF021687; Wed, 30 Jul 2014 17:28:17 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: Michael Hamburg <mike@shiftleft.org>, Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] matching AES security
Thread-Index: AQHPq/wCacsPipZEQE6PjxUstHqztJu5JZcAgAAJKACAAAndAP//6b4A
Date: Wed, 30 Jul 2014 21:28:16 +0000
Message-ID: <CFFED804.182A4%uri@ll.mit.edu>
References: <20140730123336.29011.qmail@cr.yp.to> <CA+Vbu7wwSUOJgHmGZu3ii1sn9ZfmqsWUHimYVd3wNX=RgxbaBg@mail.gmail.com> <CACsn0cmofOFFOc-EFyu5=kMVyhLCwTMudQ607zH1h9m9Q5ve1Q@mail.gmail.com> <ED370334-7F81-4D9D-B7DE-94C319151D54@shiftleft.org>
In-Reply-To: <ED370334-7F81-4D9D-B7DE-94C319151D54@shiftleft.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3489586090_11416388"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.14, 0.0.0000 definitions=2014-07-30_07:2014-07-30,2014-07-30,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1407300245
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/R-xUrO0IocP41JEDFhorLCVuX2E
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 21:28:23 -0000
> To answer Uri’s question, yes, this attack requires a shared known plaintext > block across all the connections. This is most likely to happen through the > use of CTR mode with a deterministic nonce; or the MAC of the empty string; or > explicit key confirmation. > > Also, the attack is not realistic for AES-128 in the near future, and we don’t > have to warn users about it. But it’s more realistic than a 128-bit key > exhaustion. Good points! I concur. > But even in a single-target model, you can’t just compare the brute-force > security levels of, say, AES-192 and NIST-P384. Brute force is not a > realistic threat to either one. Again, I concur. But still, we need some ways to compare, e.g., NIST-P384 with NIST-P521. You cannot say "beyond bit-length X they're just all the same". > Instead you have to consider the risk that an attacker with a given budget can > hack you. This risk would encompass things like: > > * Value of the keys. The long-term ECC keys are worth more. Yes. > * Protocol tightness. Time/memory/data attacks are not necessarily limited to > multiple-user attacks, and are likely to weaken AES more than ECC. Don't know. Maybe. > * Chosen-plaintext are more likely to affect AES. Probably the opposite. Easier to mount against AES, but AES is more immune against them. > * Quantum computation. More bits of AES buys you more resistance, but more > bits of ECC does not. Yes. > * Mathematical breakthrough. Hard to quantify. Yes. :-) > * Side channels. More bits don’t buy you much more security. Yes. :-) > My conclusions from this would be: > > * Past 192 bits of security, brute force security ratings are basically > meaningless even with linear time/data tradeoffs. Stronger ciphers are mostly > a hedge against breakthroughs. OK, agree. > * We use 256-bit AES because it’s not much more expensive than 192-bit AES. Actually I don't know why we don't use 192-bit AES. Maybe you're right. > * We should consider a more-than-384-bit elliptic curve if and only if it’s > not much more expensive than a 384-bit curve. > * There’s not much point to ed-512-mers if it costs twice as much as > ed-384-mers. See your point about "a hedge against breakthroughs". We don't know if a breakthrough would be made against ECC, and if it would – whether it would be hampered "enough" by more bits, and how many more bits would be needed to stay "safe". So while a scalable quantum computer (probably) obliterates ECC, there could be mathematical advances that are less drastic. I.e., there could still be reasons for larger curves to stay around. > * The unusual-sized curves Curve41417 and Ed448-Goldilocks should be > considered if and only if they’re not much more expensive than the 384-bit > alternatives. This has been demonstrated for Goldilocks, which is 6% slower > than ed-384-mers on Sandy Bridge. I believe that it will also be true for > Curve41417, but so far I’ve only heard numbers for Cortex A8 NEON, and none of > the alternatives have optimized implementations on that platform. Don't know.
- [Cfrg] matching AES security D. J. Bernstein
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Natanael
- Re: [Cfrg] matching AES security Tanja Lange
- Re: [Cfrg] matching AES security Paul Lambert
- Re: [Cfrg] matching AES security Benjamin Black
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Sandy Harris
- Re: [Cfrg] matching AES security James Cloos
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Nico Williams
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Johannes Merkle
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Brian Smith
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Alex Elsayed
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Alyssa Rowan
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Dan Brown
- Re: [Cfrg] matching AES security Dan Harkins
- Re: [Cfrg] matching AES security Ilari Liusvaara
- Re: [Cfrg] matching AES security D. J. Bernstein