Re: [Cfrg] matching AES security
Dan Brown <dbrown@certicom.com> Fri, 01 August 2014 15:39 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7441A0169 for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 08:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9DCup1lusJxa for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 08:39:11 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id ACDBC1A007A for <cfrg@irtf.org>; Fri, 1 Aug 2014 08:39:10 -0700 (PDT)
Received: from smtp-pop.rim.net (HELO XCT103CNC.rim.net) ([10.65.161.203]) by mhs215cnc.rim.net with ESMTP/TLS/AES128-SHA; 01 Aug 2014 11:39:09 -0400
Received: from XCT112CNC.rim.net (10.65.161.212) by XCT103CNC.rim.net (10.65.161.203) with Microsoft SMTP Server (TLS) id 14.3.174.1; Fri, 1 Aug 2014 11:39:08 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT112CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Fri, 1 Aug 2014 11:39:08 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] matching AES security
Thread-Index: AQHPq/wDi7poN5/oe0uofIOe1Kztcpu7t08AgABF4QCAAAgdAP//yeDA
Date: Fri, 01 Aug 2014 15:39:07 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5CC64E1@XMB116CNC.rim.net>
References: <20140730123336.29011.qmail@cr.yp.to> <2776234.venKYWsbWt@arkadios> <836aeec8-62be-4cc7-8c43-9bc4518b5d9e@email.android.com> <CAMm+LwiLCnx=ZfwgoCkY4Gn9fvcL+rACDxF9Cvc+eQSe9eFjMQ@mail.gmail.com>
In-Reply-To: <CAMm+LwiLCnx=ZfwgoCkY4Gn9fvcL+rACDxF9Cvc+eQSe9eFjMQ@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.250]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_002B_01CFAD7D.33E1D870"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/yq2ct7rlCLO7LyXW47X6M88bZno
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 15:39:13 -0000
I mostly agree with the discussions on this thread, but want to add one more theoretical (*) point. (*) This is not something to lose sleep over, rather something for insomniacs to ponder at night. It seems to me that even in the single-key setting, a 256-bit ECC key fares better than a 128-bit AES key, because of the tradeoff between computation and success rate. To make it concrete, consider a TLS session protected with a one-use ECDHE key and a one-use AES key. The following simplistic back-of-the-envelope calculation shows that a typical adversary would far prefer to attack the AES key. Some variables: - v = value of session plaintext to adversary - s = success rate of adversary - g = sv = expected gain of adversary - c = computational cost of adversary - r = g/c = sv/c = overall return on investment for adversary [left as an exercise] - j = dg/dc = incremental return on investment for adversary computation Consider a form of exhaustive search algorithm: pick a random 128-bit key AES against a target session ciphertext, decrypting it to confirm the guessed key. This assumes that the plaintext has an easily checkable form of redundancy of at least 128 bits, enabling the adversary to confirm the correctness of a guessed key. Repeat ~c times. This algorithm is such that c/s ~ 2^128 So, s ~ c / 2^128. I'm using ~ for proportional: so multiply the RHS by the cost of AES decryption plus plaintext redundancy verification. Now, ignoring memory costs, Shank's baby-step-giant-step algorithm against a 256-bit ECC is such that c^2 / s ~ 2^256 against with other constants of proportion to be multiplied onto the RHS. I'm guessing that memory-efficient algorithms like Pollard rho have the similar tradeoff, but please correct me if I'm wrong. Solving for s gives s ~ c^2 / 2^256. Plugging this back into the incremental ROI per computation gives j_aes128 ~ v / 2^128 j_ecc256 ~ 2vc / 2^256 So, when c ~ 2^128 these are about the same, but for smaller c values, j_ecc256 is smaller, and thus the adversary gets more return from attacking the AES128 key. In other words, the adversary's initial computation are most effectively spent on the AES key, because if the adversary gets lucky. That is, *IF* the adversary has the computational power such that it pays off to try exhaustive search on AES128, then this pays off much more than trying to solve the DLP on ECC256 using a generic algorithm. Of course, that's a big if. Note that I used a heuristic of differentiation to get the j values. This is inaccurate, especially for j_aes128 as c approaches 2^128. More precisely, a better exhaustive search algorithm than above does try random keys, but rather loops through keys, never repeating, so the incremental return on investment actually improves per guessed key. This means that even for large c ~2^128, it may still be better to run the algorithm against AES128 instead of DLP ECC256. Note that in the setting above, the DH and AES keys are used once only for the same purpose. In other situations, such as key transport or DH key re-use, the value of v would differ for the different keys, and thus may significantly alter the adversary's optimal strategy. Note that the 256-bit ECC DLP algorithm cost can also be written as c/ sqrt(s) ~ 2^128, hence the label 128-bit security for 256-bit ECC. Note that I ignored the option of using the MAC tag to confirm AES128 key guesses. Since the MAC would use a different key, I deferred its use to further discussion.
- [Cfrg] matching AES security D. J. Bernstein
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Natanael
- Re: [Cfrg] matching AES security Tanja Lange
- Re: [Cfrg] matching AES security Paul Lambert
- Re: [Cfrg] matching AES security Benjamin Black
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Sandy Harris
- Re: [Cfrg] matching AES security James Cloos
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Nico Williams
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Johannes Merkle
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Brian Smith
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Alex Elsayed
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Alyssa Rowan
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Dan Brown
- Re: [Cfrg] matching AES security Dan Harkins
- Re: [Cfrg] matching AES security Ilari Liusvaara
- Re: [Cfrg] matching AES security D. J. Bernstein