IETF Logo Mail Archive

Re: [Cfrg] matching AES security

Watson Ladd <watsonbladd@gmail.com> Thu, 31 July 2014 03:30 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55CC51A031C for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 20:30:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwihwCnwzSV8 for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 20:30:15 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1A7C1A008E for <cfrg@irtf.org>; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id v1so1318252yhn.27 for <cfrg@irtf.org>; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GMUpYOU6qyT6uhaUa1BOnKJfLtDBrIV6jtcxzkhoQA8=; b=Uhk4pxWa2BtFz7DdpZiqVd7Pf6pqznKwHlkNX4DHjm2vHePTd/C5iMSMTq1zr/5W54 S+/4iaR9+RY+TmiVfUfL571kJSGVhcNE08/Ry+y1pII3QgeCtEsoRGkqlZ66xApbvjx8 qN9K3kefD9SxAOswV4Z9YlssWS9r26IjT4ENHLbHf4Lo1LztT/FmOAtyqaBHjALr1rfZ Q012ZatBN7y/rzjkLzRuh6K68iNvy3/L4ED2mW8hQ7mMotc3XEtEqoIUJEdyY8SDAsiZ RJFJTJuR3kPKrDZw2bEWnK0hY+bGpfD9H49f9TQw+qrD0clJxwjmPc3bCWnQ4WnKRXXw Cgvw==
MIME-Version: 1.0
X-Received: by 10.236.148.209 with SMTP id v57mr1962704yhj.140.1406777414129; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Wed, 30 Jul 2014 20:30:14 -0700 (PDT)
In-Reply-To: <CFFEEC4B.182BF%uri@ll.mit.edu>
References: <20140730123336.29011.qmail@cr.yp.to> <53D8FBDB.4060601@htt-consult.com> <CAK3OfOjxSsxc95i6UVn3oW_Kdz3R92OUpGSmdfO=yFXnTpGvZQ@mail.gmail.com> <CFFEEC4B.182BF%uri@ll.mit.edu>
Date: Wed, 30 Jul 2014 20:30:14 -0700
Message-ID: <CACsn0cn5MK25-y8hj_Cag1XdFgE5A2i4U6x6t6LsBiDGSj6UVA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/aI4QMhHiCYFSjrzw1Sq46Ykc0e0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 03:30:16 -0000

On Wed, Jul 30, 2014 at 4:08 PM, Blumenthal, Uri - 0558 - MITLL
<uri@ll.mit.edu> wrote:
>>>Please explain what typical device will use at least one new key every
>>> minute?
>>
>>Er, well, smartphone apps might well poll/get pushed to that
>>frequently, altogether, with a new key per-poll/push.  Sure, the
>>protocol involved might not generate a new key per-event, but if the
>>protocol is TLS, then it will.
>
> Maybe... A good argument to avoid TLS. :-)
>
>>DJB's point is that we should permit "odd" match-ups like AES-256 and
>>Curve25519 _because_ AES-128 is weak in plausible scenarios.
>                                           ^^^^^^^^^ :-)
>
> There already are such "odd" match-ups, and I guess the trend is here to
> stay.
>
> But to do it because of attackers "getting _all_ of your 2^50 keys with
> 2^128 easy (sic!) computations"? (I guess you could convince about half of
> the existing atoms in the Universe to do one computation for you, and
> maybe store the result. But lookups would have to be extra! :).

This is what rainbow tables are for. Let's suppose f:S->S, |S|=n. To
find preimages of k points p_1, ... p_k,
I do the following: pick s points q_1, .. q_s, store (q_i,f^r(q_i)) in
a table, and compute f^j(p_t) for each j and t,
checking if I get f^r(q_i) for some q_i. If I do, I calculate the
intermediate iterates of q_i, one of which is likely p_t.

The storage is s, while the number of points is sr, and I win with
probability about srjk/n, doing sr+jk work.
There is a higher-order collision term, but it's negligible.

This isn't new: rainbow tables were used to reverse password hashes in the 90's.

Sincerely,
Watson Ladd

>
>>I'm having a hard time objecting to that!
>
> :-)
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email