Re: [Cfrg] matching AES security
Watson Ladd <watsonbladd@gmail.com> Thu, 31 July 2014 03:30 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55CC51A031C for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 20:30:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwihwCnwzSV8 for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 20:30:15 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1A7C1A008E for <cfrg@irtf.org>; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id v1so1318252yhn.27 for <cfrg@irtf.org>; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GMUpYOU6qyT6uhaUa1BOnKJfLtDBrIV6jtcxzkhoQA8=; b=Uhk4pxWa2BtFz7DdpZiqVd7Pf6pqznKwHlkNX4DHjm2vHePTd/C5iMSMTq1zr/5W54 S+/4iaR9+RY+TmiVfUfL571kJSGVhcNE08/Ry+y1pII3QgeCtEsoRGkqlZ66xApbvjx8 qN9K3kefD9SxAOswV4Z9YlssWS9r26IjT4ENHLbHf4Lo1LztT/FmOAtyqaBHjALr1rfZ Q012ZatBN7y/rzjkLzRuh6K68iNvy3/L4ED2mW8hQ7mMotc3XEtEqoIUJEdyY8SDAsiZ RJFJTJuR3kPKrDZw2bEWnK0hY+bGpfD9H49f9TQw+qrD0clJxwjmPc3bCWnQ4WnKRXXw Cgvw==
MIME-Version: 1.0
X-Received: by 10.236.148.209 with SMTP id v57mr1962704yhj.140.1406777414129; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
In-Reply-To: <CFFEEC4B.182BF%uri@ll.mit.edu>
References: <20140730123336.29011.qmail@cr.yp.to> <53D8FBDB.4060601@htt-consult.com> <CAK3OfOjxSsxc95i6UVn3oW_Kdz3R92OUpGSmdfO=yFXnTpGvZQ@mail.gmail.com> <CFFEEC4B.182BF%uri@ll.mit.edu>
Date: Wed, 30 Jul 2014 20:30:14 -0700
Message-ID: <CACsn0cn5MK25-y8hj_Cag1XdFgE5A2i4U6x6t6LsBiDGSj6UVA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/aI4QMhHiCYFSjrzw1Sq46Ykc0e0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 03:30:16 -0000
On Wed, Jul 30, 2014 at 4:08 PM, Blumenthal, Uri - 0558 - MITLL <uri@ll.mit.edu> wrote: >>>Please explain what typical device will use at least one new key every >>> minute? >> >>Er, well, smartphone apps might well poll/get pushed to that >>frequently, altogether, with a new key per-poll/push. Sure, the >>protocol involved might not generate a new key per-event, but if the >>protocol is TLS, then it will. > > Maybe... A good argument to avoid TLS. :-) > >>DJB's point is that we should permit "odd" match-ups like AES-256 and >>Curve25519 _because_ AES-128 is weak in plausible scenarios. > ^^^^^^^^^ :-) > > There already are such "odd" match-ups, and I guess the trend is here to > stay. > > But to do it because of attackers "getting _all_ of your 2^50 keys with > 2^128 easy (sic!) computations"? (I guess you could convince about half of > the existing atoms in the Universe to do one computation for you, and > maybe store the result. But lookups would have to be extra! :). This is what rainbow tables are for. Let's suppose f:S->S, |S|=n. To find preimages of k points p_1, ... p_k, I do the following: pick s points q_1, .. q_s, store (q_i,f^r(q_i)) in a table, and compute f^j(p_t) for each j and t, checking if I get f^r(q_i) for some q_i. If I do, I calculate the intermediate iterates of q_i, one of which is likely p_t. The storage is s, while the number of points is sr, and I win with probability about srjk/n, doing sr+jk work. There is a higher-order collision term, but it's negligible. This isn't new: rainbow tables were used to reverse password hashes in the 90's. Sincerely, Watson Ladd > >>I'm having a hard time objecting to that! > > :-) > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] matching AES security D. J. Bernstein
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Natanael
- Re: [Cfrg] matching AES security Tanja Lange
- Re: [Cfrg] matching AES security Paul Lambert
- Re: [Cfrg] matching AES security Benjamin Black
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Sandy Harris
- Re: [Cfrg] matching AES security James Cloos
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Nico Williams
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Johannes Merkle
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Brian Smith
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Alex Elsayed
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Alyssa Rowan
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Dan Brown
- Re: [Cfrg] matching AES security Dan Harkins
- Re: [Cfrg] matching AES security Ilari Liusvaara
- Re: [Cfrg] matching AES security D. J. Bernstein