nist p 256 has a cube root ecdl algorithm d j bernstein
play

NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein - PDF document

Oct 01, 2022 •129 likes •769 views

NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven eprint.iacr.org/2012/318 , eprint.iacr.org/2012/458

  1. NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven eprint.iacr.org/2012/318 , eprint.iacr.org/2012/458 : “Non-uniform cracks in the concrete”, “Computing small discrete logarithms faster”

  2. Central question: What is the best ECDL algorithm for the NIST P-256 elliptic curve? ECDL algorithm input: curve point ◗ . ECDL algorithm output: log P ◗ , where P is standard generator. Standard definition of “best”: minimize “time”.

  3. Central question: What is the best ECDL algorithm for the NIST P-256 elliptic curve? ECDL algorithm input: curve point ◗ . ECDL algorithm output: log P ◗ , where P is standard generator. Standard definition of “best”: minimize “time”. More generally, allow algorithms with ❁ 100% success probability; analyze tradeoffs between “time” and success probability.

  4. Trivial standard conversion from any P-256 ECDL algorithm into (e.g.) signature-forgery attack against P-256 ECDSA: ✎ Use the ECDL algorithm to find the secret key. ✎ Run the signing algorithm on attacker’s forged message. Compared to ECDL algorithm, attack has practically identical speed and success probability.

  5. Should P-256 ECDSA users be worried about this?

  6. Should P-256 ECDSA users be worried about this? No. Many ECC researchers have tried and failed to find good ECDL algorithms.

  7. Should P-256 ECDSA users be worried about this? No. Many ECC researchers have tried and failed to find good ECDL algorithms. Standard conjecture: For each ♣ ✷ [0 ❀ 1], each P-256 ECDL algorithm with success probability ✕ ♣ takes “time” ✕ 2 128 ♣ 1 ❂ 2 .

  8. Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6

  9. Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”.

  10. Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2 ❦ , prints the ♥ th digit of ✙ using ❦ + 1 “steps”.

  11. Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2 ❦ , prints the ♥ th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 259- “step” P-256 ECDL algorithm (with 100% success probability).

  12. Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2 ❦ , prints the ♥ th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 259- “step” P-256 ECDL algorithm (with 100% success probability). If “time” means “steps” then the standard conjecture is wrong.

  13. 2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆ ’s running time [means] ❆ ’s actual execution time plus the length of ❆ ’s description ✿ ✿ ✿ This convention eliminates pathologies caused [by] arbitrarily large lookup tables ✿ ✿ ✿ Alternatively, the reader can think of circuits over some fixed basis of gates, like 2-input NAND gates ✿ ✿ ✿ now time simply means the circuit size.”

  14. Side comments: 1. Definition from Crypto 1994 Bellare–Kilian–Rogaway was flawed: failed to add length. Paper conjectured “useful” DES security bounds; any reasonable interpretation of conjecture was false, given paper’s definition.

  15. Side comments: 1. Definition from Crypto 1994 Bellare–Kilian–Rogaway was flawed: failed to add length. Paper conjectured “useful” DES security bounds; any reasonable interpretation of conjecture was false, given paper’s definition. 2. Many more subtle issues defining RAM “time”: see 1990 van Emde Boas survey.

  16. Side comments: 1. Definition from Crypto 1994 Bellare–Kilian–Rogaway was flawed: failed to add length. Paper conjectured “useful” DES security bounds; any reasonable interpretation of conjecture was false, given paper’s definition. 2. Many more subtle issues defining RAM “time”: see 1990 van Emde Boas survey. 3. NAND definition is easier but breaks many theorems.

  17. Two-way reductions Another standard conjecture: For each ♣ ✷ [2 � 40 ❀ 1], each P-256 ECDSA attack with success probability ✕ ♣ takes “time” ❃ 2 128 ♣ 1 ❂ 2 .

  18. Two-way reductions Another standard conjecture: For each ♣ ✷ [2 � 40 ❀ 1], each P-256 ECDSA attack with success probability ✕ ♣ takes “time” ❃ 2 128 ♣ 1 ❂ 2 . Why should users have any confidence in this conjecture? How many ECC researchers have really tried to break ECDSA? ECDH? Other ECC protocols? Far less attention than for ECDL.

  19. Provable security to the rescue! Prove: if there is an ECDSA attack then there is an ECDL attack with similar “time” and success probability.

  20. Provable security to the rescue! Prove: if there is an ECDSA attack then there is an ECDL attack with similar “time” and success probability. Oops: This turns out to be hard. But changing from ECDSA to Schnorr allows a proof: Eurocrypt 1996 Pointcheval–Stern.

  21. Provable security to the rescue! Prove: if there is an ECDSA attack then there is an ECDL attack with similar “time” and success probability. Oops: This turns out to be hard. But changing from ECDSA to Schnorr allows a proof: Eurocrypt 1996 Pointcheval–Stern. Oops: This proof has very bad “tightness” and is only for limited classes of attacks. Continuing efforts to fix these limitations.

  22. Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., the ECDL problem) implies security of various protocols ◗ . After extensive cryptanalysis of P , maybe gain confidence in hardness of P , and hence in security of ◗ .

  23. Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., the ECDL problem) implies security of various protocols ◗ . After extensive cryptanalysis of P , maybe gain confidence in hardness of P , and hence in security of ◗ . Why not directly cryptanalyze ◗ ? Cryptanalysis is hard work: have to focus on a few problems P . Proofs scale to many protocols ◗ .

  25. Have cryptanalysts actually studied the problem P that the protocol designer hypothesizes to be hard?

  26. Have cryptanalysts actually studied the problem P that the protocol designer hypothesizes to be hard? Three different situations: “The good”: Cryptanalysts have studied P .

  27. Have cryptanalysts actually studied the problem P that the protocol designer hypothesizes to be hard? Three different situations: “The good”: Cryptanalysts have studied P . “The bad”: Cryptanalysts have not studied P .

  28. Have cryptanalysts actually studied the problem P that the protocol designer hypothesizes to be hard? Three different situations: “The good”: Cryptanalysts have studied P . “The bad”: Cryptanalysts have not studied P . “The ugly”: People think that cryptanalysts have studied P , but actually they’ve studied P ✵ ✻ = P .

  29. Cube-root ECDL algorithms Assuming plausible heuristics, overwhelmingly verified by computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙ 2 85 and has success probability ✙ 1. “Time” includes algorithm length. “ ✙ ”: details later in the talk. Inescapable conclusion: The standard conjectures (regarding P-256 ECDL hardness, P-256 ECDSA security, etc.) are false.

  30. Switch to P-384 but continue using 256-bit scalars?

  31. Switch to P-384 but continue using 256-bit scalars? Doesn’t fix the problem. There exists a P-384 ECDL algorithm that takes “time” ✙ 2 85 and has success probability ✙ 1 for P❀ ◗ with 256-bit log P ◗ .

  32. Switch to P-384 but continue using 256-bit scalars? Doesn’t fix the problem. There exists a P-384 ECDL algorithm that takes “time” ✙ 2 85 and has success probability ✙ 1 for P❀ ◗ with 256-bit log P ◗ . To push the cost of these attacks up to 2 128 , switch to P-384 and switch to 384-bit scalars. This is not common practice: users don’t like ✙ 3 ✂ slowdown.

  34. Should P-256 ECDSA users be worried about this P-256 ECDL algorithm ❆ ? No! We have a program ❇ that prints out ❆ , but ❇ takes “time” ✙ 2 170 . We conjecture that nobody will ever print out ❆ .

  35. Should P-256 ECDSA users be worried about this P-256 ECDL algorithm ❆ ? No! We have a program ❇ that prints out ❆ , but ❇ takes “time” ✙ 2 170 . We conjecture that nobody will ever print out ❆ . But ❆ exists , and the standard conjecture doesn’t see the 2 170 .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P , University of Illinois at

1.13k views • 86 slides
How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

1 How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance. PRESERVE, ending 2015.06.30, was a European project Preparing Secure

491 views • 32 slides
Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

1 Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69 submissions in first round, from hundreds of people. (+13 submissions that NIST declared incomplete or improper.) 22 signature-system submissions. 5

1.97k views • 196 slides
Seventeen Years Look back with sense of achievement ECDL Version 6 - Year 1 of New ECDL

Seventeen Years Look back with sense of achievement ECDL Version 6 - Year 1 of New ECDL

7 th March, 2014 Seventeen Years Look back with sense of achievement ECDL Version 6 - Year 1 of New ECDL Stand back and take stock Still in implementation phase ICS Parent organisation Professional body for people working

1.07k views • 76 slides
Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago &

Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago &

Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven The NIST curves were designed to make DLP

241 views • 12 slides
Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking ECC2K-130, joint work by many authors: ECDL attack in progress against Koblitz curve over F 2 131 using many CPUs, GPUs, FPGAs. Vertically

288 views • 17 slides
Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H ulsing Tanja Lange Ruben Niederhagen Christine van Vredendaal May 13, 2014 NSA/NIST FUD The NIST elliptic curves are behind the state of

433 views • 26 slides
Choosing curves D. J. Bernstein University of Illinois at Chicago Traditional algorithm design:

Choosing curves D. J. Bernstein University of Illinois at Chicago Traditional algorithm design:

Choosing curves D. J. Bernstein University of Illinois at Chicago Traditional algorithm design: f . Have a function Want fastest algorithm f . that computes Cryptographic algorithm design: Have gigantic collection of f . apparently-safe

250 views • 24 slides
Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the (prime-field) NIST curves I Presented by NIST in 1999 Curve names: P-192, P-224, P-256, P-384, P-521 Curve is defined over F p where p has

250 views • 22 slides
Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
C omputer D riving L icence ECDL Syllabus 5.0 Module 6 Presentation ECDL Syllabus 5

C omputer D riving L icence ECDL Syllabus 5.0 Module 6 Presentation ECDL Syllabus 5

E uropean C omputer D riving L icence ECDL Syllabus 5.0 Module 6 Presentation ECDL Syllabus 5 Courseware Module 6 Contents USING THE APPLICATION

1.03k views • 63 slides
Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

1 Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set. How do we

1.53k views • 135 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
Course on Inverse Problems Albert Tarantola Lesson XV: Square Root Variable Metric Algorithm The

Course on Inverse Problems Albert Tarantola Lesson XV: Square Root Variable Metric Algorithm The

Institut de Physique du Globe de Paris & Universit Pierre et Marie Curie (Paris VI) Course on Inverse Problems Albert Tarantola Lesson XV: Square Root Variable Metric Algorithm The Square Root Variable Metric Algorithm for Least-Squares

316 views • 13 slides
What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

1 What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set.

1.5k views • 132 slides
Conditionals: between language and reasoning Class 1 - Introduction

Conditionals: between language and reasoning Class 1 - Introduction

Conditionals: between language and reasoning Class 1 - Introduction www.ivanociardelli.altervista.org/conditionals ivano.ciardelli@lmu.de Two switches Imagine a long hallway with a light in the middle and with two switches, one at each end.

1.37k views • 57 slides
ConversationStory! Fri Dec 8 11:08:37 CST 2017 github: ConversationStory! Dr Bean (

ConversationStory! Fri Dec 8 11:08:37 CST 2017 github: ConversationStory! Dr Bean (

ConversationStory! Fri Dec 8 11:08:37 CST 2017 github: ConversationStory! Dr Bean ( ) Recording 30 seconds. Each person must tell his/her story and answer 2 Uploading files If you cant find your partner, do it with someone

181 views • 4 slides
Kangaroo: An Efficient Constraint-Based Local Search System Using Lazy Propagation M.A.Hakim

Kangaroo: An Efficient Constraint-Based Local Search System Using Lazy Propagation M.A.Hakim

Kangaroo: An Efficient Constraint-Based Local Search System Using Lazy Propagation M.A.Hakim Newton 1 , 2 , Duc Nghia Pham 1 , 2 , Abdul Sattar 1 , 2 , Michael Maher 1 , 3 , 4 1 National ICT Australia, 2 IIIS, Griffith University 3 CSE, University

427 views • 26 slides
HOW V VIRTUAL BEC ECOMES R REA EAL Post-forming a timber gridshell with Kangaroo (G_02.1)

HOW V VIRTUAL BEC ECOMES R REA EAL Post-forming a timber gridshell with Kangaroo (G_02.1)

HOW V VIRTUAL BEC ECOMES R REA EAL Post-forming a timber gridshell with Kangaroo (G_02.1) Issues in technology (2014) - Photo by Helene Detje

275 views • 11 slides
Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi Google, Inc. Rochester Institute of Technology kak@google.com rlaz@cs.rit.edu Symposium on Usable Privacy and Security (SOUPS) 2009 July 15th-17th,

272 views • 26 slides
International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best Practices in Education Award 2015 Valentina Dagiene, Wolfgang Pohl www.bebras.org Informatics @ School www.bebras.org ~ 1980: hardware, algorithms

586 views • 17 slides
AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret https://fleuret.org/ammi-2018/ Thu Sep 6 16:00:44 CAT 2018 COLE POLYTECHNIQUE FDRALE DE LAUSANNE Maximum response samples Fran cois Fleuret AMMI

686 views • 45 slides
A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

327 views • 19 slides

More recommend