Re: [saag] CFRG Presentation on Algebraic Eraser

"Derek Atkins" <derek@ihtfp.com> Wed, 25 March 2015 14:43 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 486E51B29C3 for <saag@ietfa.amsl.com>; Wed, 25 Mar 2015 07:43:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.289
X-Spam-Level:
X-Spam-Status: No, score=-1.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wR7d5h-UBkRD for <saag@ietfa.amsl.com>; Wed, 25 Mar 2015 07:43:23 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 460D41B29CC for <saag@ietf.org>; Wed, 25 Mar 2015 07:42:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id B0C2BE2036; Wed, 25 Mar 2015 10:42:02 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 31500-03; Wed, 25 Mar 2015 10:41:59 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id CE885E2038; Wed, 25 Mar 2015 10:41:59 -0400 (EDT)
Received: from 31.133.176.247 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Wed, 25 Mar 2015 10:41:59 -0400
Message-ID: <568ac22332dc60e9a5597ed3f6564248.squirrel@mail2.ihtfp.org>
In-Reply-To: <CABrd9SShkRmQkbcrQ8fJxbLgRnkQ+F3YLzjOpQqwdy_9=xJUPg@mail.gmail.com>
References: <d8a2cd9db03b3cd945ae5af5bff1b06a.squirrel@mail2.ihtfp.org> <CABrd9SShkRmQkbcrQ8fJxbLgRnkQ+F3YLzjOpQqwdy_9=xJUPg@mail.gmail.com>
Date: Wed, 25 Mar 2015 10:41:59 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Ben Laurie <benl@google.com>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/TdFF6519ULI3ZyD3mW8gcNnFj8o>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] CFRG Presentation on Algebraic Eraser
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 14:43:24 -0000

Hi Ben,

On Wed, March 25, 2015 9:22 am, Ben Laurie wrote:
> On 25 March 2015 at 03:53, Derek Atkins <derek@ihtfp.com> wrote:
>
>> Hi,
>>
>> On Wednesday in CFRG my colleague and I are presenting the Algebraic
>> Eraser, a public key crypto system targeted at embedded, low-resource,
>> IoT
>> systems that performs 70-200x better than ECC in time and power
>> consumption.  If you're at all interested in seeing viable, performant
>> public key crypto on extremely constrained devices I encourage you to
>> attend CFRG at 1pm on Wednesday.
>>
>> The abstract of the talk:
>>
>> The Algebraic Eraser (AE), introduced by Anshel, Anshel, Goldfeld, and
>> Lemieux in 2006, is a key agreement protocol for public-key cryptography
>> which was designed to be suitable for implementation on low-cost
>> platforms
>> with constrained computational resources, such as RFID, NFC, and other
>> platforms associated with the "Internet of Things."  One novel feature
>> of
>> the protocol is that its complexityscales linearly with the desired
>> security, unlike other asymmetric methods such as RSA and ECC.  In this
>> talk we give an overview of the protocol and present recent hardware
>> timing data comparing the performance of AE with ECC.
>>
>
> Has there been any analysis of AE?

Yes, there has.  Over the last decade since AE was first proposed there
have been only two classes of attacks ever found, both of which have been
refuted (see my previous reply to Watson Ladd).  In short, there was a
class of weak keys if you randomly generate your private keys (but RSA has
the same issue, you cannot chose a "random N", you need it to be the
product of two large primes).  The other attack basically boils down to
having keys that are too short are easy to break.  Details are in my other
reply.

Thanks for your interest,

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant