non uniform concrete security an example cracks in the
play

Non-uniform Concrete security: an example cracks in the concrete: - PowerPoint PPT Presentation

Mar 10, 2024 •261 likes •1.13k views

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P , University of Illinois at

  1. Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P❀ ◗ , University of Illinois at Chicago & where P is a standard generator. Technische Universiteit Eindhoven ECDL output: log P ◗ . Tanja Lange Standard definition of “best”: Technische Universiteit Eindhoven minimize “time”. Full 53-page paper, including progress towards formalizing collision resistance: eprint.iacr.org/2012/318

  2. Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P❀ ◗ , University of Illinois at Chicago & where P is a standard generator. Technische Universiteit Eindhoven ECDL output: log P ◗ . Tanja Lange Standard definition of “best”: Technische Universiteit Eindhoven minimize “time”. Full 53-page paper, More generally, allow attacks with including progress towards ❁ 100% success probability; formalizing collision resistance: analyze tradeoffs between eprint.iacr.org/2012/318 “time” and success probability. This talk focuses on high prob.

  3. Non-uniform Concrete security: an example P-256 discrete- ✮ in the concrete: total TLS-ECDHE-P-256 What is the best NIST P-256 wer of free precomputation Should TLS discrete-log attack algorithm? Bernstein ECDL input: P-256 points P❀ ◗ , University of Illinois at Chicago & where P is a standard generator. echnische Universiteit Eindhoven ECDL output: log P ◗ . Lange Standard definition of “best”: echnische Universiteit Eindhoven minimize “time”. 53-page paper, More generally, allow attacks with including progress towards ❁ 100% success probability; rmalizing collision resistance: analyze tradeoffs between eprint.iacr.org/2012/318 “time” and success probability. This talk focuses on high prob.

  4. Concrete security: an example P-256 discrete-log ✮ concrete: total TLS-ECDHE-P-256 What is the best NIST P-256 free precomputation Should TLS users discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗ , Illinois at Chicago & where P is a standard generator. Universiteit Eindhoven ECDL output: log P ◗ . Standard definition of “best”: Universiteit Eindhoven minimize “time”. er, More generally, allow attacks with rogress towards ❁ 100% success probability; ion resistance: analyze tradeoffs between eprint.iacr.org/2012/318 “time” and success probability. This talk focuses on high prob.

  5. Concrete security: an example P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! What is the best NIST P-256 recomputation Should TLS users worry? discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗ , Chicago & where P is a standard generator. Eindhoven ECDL output: log P ◗ . Standard definition of “best”: Eindhoven minimize “time”. More generally, allow attacks with ❁ 100% success probability; resistance: analyze tradeoffs between eprint.iacr.org/2012/318 “time” and success probability. This talk focuses on high prob.

  6. Concrete security: an example P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! What is the best NIST P-256 Should TLS users worry? discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗ , where P is a standard generator. ECDL output: log P ◗ . Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁ 100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob.

  7. Concrete security: an example P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! What is the best NIST P-256 Should TLS users worry? discrete-log attack algorithm? No. Many researchers have ECDL input: P-256 points P❀ ◗ , tried and failed to find good where P is a standard generator. P-256 discrete-log attacks. ECDL output: log P ◗ . Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁ 100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob.

  8. Concrete security: an example P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! What is the best NIST P-256 Should TLS users worry? discrete-log attack algorithm? No. Many researchers have ECDL input: P-256 points P❀ ◗ , tried and failed to find good where P is a standard generator. P-256 discrete-log attacks. ECDL output: log P ◗ . Standard conjecture: Standard definition of “best”: For each ♣ ✷ [0 ❀ 1], minimize “time”. each P-256 ECDL algorithm with success probability ✕ ♣ More generally, allow attacks with takes “time” ✕ 2 128 ♣ 1 ❂ 2 . ❁ 100% success probability; analyze tradeoffs between Similar conjectures for AES-128, “time” and success probability. RSA-3072, etc.: see, e.g., This talk focuses on high prob. 2005 Bellare–Rogaway.

  9. Concrete security: an example P-256 discrete-log attack ✮ Concrete total TLS-ECDHE-P-256 break! is the best NIST P-256 Another Should TLS users worry? discrete-log attack algorithm? Each TLS-ECDHE-P-256 No. Many researchers have with succes ✕ ♣ input: P-256 points P❀ ◗ , ♣ ❂ tried and failed to find good takes “time” ✕ P is a standard generator. P-256 discrete-log attacks. output: log P ◗ . Standard conjecture: Standard definition of “best”: For each ♣ ✷ [0 ❀ 1], minimize “time”. each P-256 ECDL algorithm with success probability ✕ ♣ generally, allow attacks with takes “time” ✕ 2 128 ♣ 1 ❂ 2 . ❁ success probability; analyze tradeoffs between Similar conjectures for AES-128, and success probability. RSA-3072, etc.: see, e.g., talk focuses on high prob. 2005 Bellare–Rogaway.

  10. y: an example P-256 discrete-log attack ✮ Concrete reductions total TLS-ECDHE-P-256 break! est NIST P-256 Another conjecture: Should TLS users worry? attack algorithm? Each TLS-ECDHE-P-256 No. Many researchers have with success probabilit ✕ ♣ P-256 points P❀ ◗ , takes “time” ✕ 2 128 ♣ ❂ tried and failed to find good P standard generator. P-256 discrete-log attacks. log P ◗ . Standard conjecture: definition of “best”: For each ♣ ✷ [0 ❀ 1], ”. each P-256 ECDL algorithm with success probability ✕ ♣ allow attacks with takes “time” ✕ 2 128 ♣ 1 ❂ 2 . ❁ probability; tradeoffs between Similar conjectures for AES-128, success probability. RSA-3072, etc.: see, e.g., cuses on high prob. 2005 Bellare–Rogaway.

  11. example P-256 discrete-log attack ✮ Concrete reductions total TLS-ECDHE-P-256 break! P-256 Another conjecture: Should TLS users worry? rithm? Each TLS-ECDHE-P-256 attack No. Many researchers have with success probability ✕ ♣ oints P❀ ◗ , takes “time” ✕ 2 128 ♣ 1 ❂ 2 . tried and failed to find good P generator. P-256 discrete-log attacks. P ◗ Standard conjecture: est”: For each ♣ ✷ [0 ❀ 1], each P-256 ECDL algorithm with success probability ✕ ♣ attacks with takes “time” ✕ 2 128 ♣ 1 ❂ 2 . ❁ y; Similar conjectures for AES-128, robability. RSA-3072, etc.: see, e.g., prob. 2005 Bellare–Rogaway.

  12. P-256 discrete-log attack ✮ Concrete reductions total TLS-ECDHE-P-256 break! Another conjecture: Should TLS users worry? Each TLS-ECDHE-P-256 attack No. Many researchers have with success probability ✕ ♣ takes “time” ✕ 2 128 ♣ 1 ❂ 2 . tried and failed to find good P-256 discrete-log attacks. Standard conjecture: For each ♣ ✷ [0 ❀ 1], each P-256 ECDL algorithm with success probability ✕ ♣ takes “time” ✕ 2 128 ♣ 1 ❂ 2 . Similar conjectures for AES-128, RSA-3072, etc.: see, e.g., 2005 Bellare–Rogaway.

  13. P-256 discrete-log attack ✮ Concrete reductions total TLS-ECDHE-P-256 break! Another conjecture: Should TLS users worry? Each TLS-ECDHE-P-256 attack No. Many researchers have with success probability ✕ ♣ takes “time” ✕ 2 128 ♣ 1 ❂ 2 . tried and failed to find good P-256 discrete-log attacks. Why should users have any Standard conjecture: confidence in this conjecture? For each ♣ ✷ [0 ❀ 1], How many researchers each P-256 ECDL algorithm have really tried to break with success probability ✕ ♣ ECDHE-P-256? ECDSA-P-256? takes “time” ✕ 2 128 ♣ 1 ❂ 2 . ECIES-P-256? ECMQV-P-256? Similar conjectures for AES-128, Other P-256-based protocols? RSA-3072, etc.: see, e.g., Far less attention than for ECDL. 2005 Bellare–Rogaway.

  14. discrete-log attack ✮ Concrete reductions Provable TLS-ECDHE-P-256 break! Another conjecture: Prove: if TLS users worry? Each TLS-ECDHE-P-256 attack a TLS-ECDHE-P-256 Many researchers have with success probability ✕ ♣ then there takes “time” ✕ 2 128 ♣ 1 ❂ 2 . and failed to find good a P-256 discrete-log attacks. with simila Why should users have any and success Standard conjecture: confidence in this conjecture? each ♣ ✷ [0 ❀ 1], How many researchers P-256 ECDL algorithm have really tried to break success probability ✕ ♣ ECDHE-P-256? ECDSA-P-256? “time” ✕ 2 128 ♣ 1 ❂ 2 . ECIES-P-256? ECMQV-P-256? r conjectures for AES-128, Other P-256-based protocols? RSA-3072, etc.: see, e.g., Far less attention than for ECDL. Bellare–Rogaway.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Non-uniform cracks in the concrete Daniel J. Bernstein University of Illinois at Chicago Joint

Non-uniform cracks in the concrete Daniel J. Bernstein University of Illinois at Chicago Joint

Non-uniform cracks in the concrete Daniel J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Paper coming soon, including detailed credits and historical discussion. Classic

283 views • 14 slides
Non-uniform cracks in the concrete: the power of free precomputation D. J. Bernstein University

Non-uniform cracks in the concrete: the power of free precomputation D. J. Bernstein University

Non-uniform cracks in the concrete: the power of free precomputation D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven Full 53-page paper, including

477 views • 36 slides
Non-uniform cracks in the concrete: the power of free precomputation Daniel J. Bernstein

Non-uniform cracks in the concrete: the power of free precomputation Daniel J. Bernstein

Non-uniform cracks in the concrete: the power of free precomputation Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven eprint.iacr.org/2012/318 ,

1.02k views • 62 slides
STUDY OF THERMAL CRACKS IN CONCRETE STRUCTURES USING PROBABILITY THEORY Masami Ishikawa Tohoku

STUDY OF THERMAL CRACKS IN CONCRETE STRUCTURES USING PROBABILITY THEORY Masami Ishikawa Tohoku

STUDY OF THERMAL CRACKS IN CONCRETE STRUCTURES USING PROBABILITY THEORY Masami Ishikawa Tohoku Gakuin University, Japan Masahiro Yurugi Former Prof. of Hirosaki University, Japan JSCE Standard Spec. for concrete structures Definition of Crack

204 views • 16 slides
Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis New York University Joint work with Siyao Guo (Simons Institute, UC Berkeley) Jonathan Katz (University of Maryland) Hash Functions Are Ubiquitous

650 views • 40 slides
How to Decide Which Cracks Practical Case of . . . Should be Repaired First: Empirical

How to Decide Which Cracks Practical Case of . . . Should be Repaired First: Empirical

Which Cracks Should . . . To Make a Proper . . . How Cracks Grow: A . . . Case of Very Short Cracks How to Decide Which Cracks Practical Case of . . . Should be Repaired First: Empirical Dependence . . . Beyond Paris Law Theoretical

624 views • 31 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo, Jonathan Katz, Xiao Wang, Chenkai Weng, Yu Yu All widely used GCs have a birthday-bound security Explicit attack GC based on fix-key block cipher

313 views • 7 slides
Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A

Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A

Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A Uniform CLASS A UNIFORM C1. Wear the Class A Uniform to standard. Class A Uniform Known as Black Service Uniform or Class A Worn mainly

502 views • 14 slides
twenty one service loads x load factors concrete holds no tension failure criteria is

twenty one service loads x load factors concrete holds no tension failure criteria is

E LEMENTS OF A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 614 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2019 design for maximum stresses

253 views • 6 slides
nineteen service loads x load factors concrete holds no tension failure criteria is

nineteen service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel A RCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S UMMER 2018 design for maximum stresses lecture limit

641 views • 9 slides
On the Concrete Security of Goldreichs PRG Yann Rotella Joint work with Geoffroy Couteau,

On the Concrete Security of Goldreichs PRG Yann Rotella Joint work with Geoffroy Couteau,

On the Concrete Security of Goldreichs PRG Yann Rotella Joint work with Geoffroy Couteau, Aurlien Dupin, Pierrick Maux and Mlissa Rossi January 31, 2019 Introduction A subexponential-time attack Algebraic cryptanalysis

1.22k views • 53 slides
Curriculum on The Cadet Corps Uniform Wear It WIth honor Class C Uniform Class C Uniform

Curriculum on The Cadet Corps Uniform Wear It WIth honor Class C Uniform Class C Uniform

Curriculum on The Cadet Corps Uniform Wear It WIth honor Class C Uniform Class C Uniform Agenda B1. Class C Uniform CLASS C UNIFORM B1. Wear the Class C Uniform to standard. Class C Uniform Fully described in CR 1-8, Chp. 8 Headgear

185 views • 14 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu Yaos garbled circuits Two-party computation (2PC) Multiple optimizations

376 views • 20 slides
Inverse scattering for obstacles and cracks with impedance boundary conditions Fahmi Ben Hassen

Inverse scattering for obstacles and cracks with impedance boundary conditions Fahmi Ben Hassen

Introduction Obstacle scattering Inverse scattering for cracks List-to-do Inverse scattering for obstacles and cracks with impedance boundary conditions Fahmi Ben Hassen ENIT-LAMSIN, Tunis PICOF12, Palaiseau April 2011 Introduction

964 views • 68 slides
twenty two service loads x load factors concrete holds no tension failure criteria is

twenty two service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2018 design for maximum stresses lecture limit

346 views • 9 slides
1 How far can a Contract Serve as a Justification for Permanent Storage on a Blockchain?

1 How far can a Contract Serve as a Justification for Permanent Storage on a Blockchain?

1 How far can a Contract Serve as a Justification for Permanent Storage on a Blockchain? Philipp Quiel 2 Agenda General scope of the legal basis in Art. 6 (1) b GDPR Possibilities of concluding contracts in blockchain systems

553 views • 19 slides
On the use of semantic features for the semantic indexing task Bahjat Safadi, Nadia Derbas,

On the use of semantic features for the semantic indexing task Bahjat Safadi, Nadia Derbas,

On the use of semantic features for the semantic indexing task Bahjat Safadi, Nadia Derbas, Abdelkader Hamadi, Mateusz Budnik, Philippe Mulhem and Georges Qunot UJF-LIG and many other people from the IRIM group of GDR 720 ISIS 10 November

450 views • 24 slides
Overview of LBNF Target Conceptual Design & Physics Performance Chris Densham (STFC Rutherford

Overview of LBNF Target Conceptual Design & Physics Performance Chris Densham (STFC Rutherford

Overview of LBNF Target Conceptual Design & Physics Performance Chris Densham (STFC Rutherford Appleton Laboratory) John Back (Warwick University) Our starting point: Helium Cooled T2K Target Target installation in magnetic horn using

471 views • 15 slides
CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security

CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security

CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page

735 views • 46 slides
Information Technology Is Creating A New Social Fabric Definition

Information Technology Is Creating A New Social Fabric Definition

Information Technology Is Creating A New Social Fabric Definition Social Fabric Information Technology Speakers: Niall Conroy Examples Derek Foley Television Email Andrew Anderson

384 views • 3 slides
Math 8001: Groupwork (School of Mathematics) Math 8001 UMN 1 / 12 Any current issues in your

Math 8001: Groupwork (School of Mathematics) Math 8001 UMN 1 / 12 Any current issues in your

Math 8001: Groupwork (School of Mathematics) Math 8001 UMN 1 / 12 Any current issues in your own teaching? (School of Mathematics) Math 8001 UMN 2 / 12 Your assignment Pick a section covered in your class next week (modulo special

296 views • 16 slides
Two principles of dynamic constructivism Giovanni Sambin Logic Colloquium, special session on

Two principles of dynamic constructivism Giovanni Sambin Logic Colloquium, special session on

Two principles of dynamic constructivism Giovanni Sambin Logic Colloquium, special session on Philosophy of Mathematics and Computer Science Manchester, 17 July 2012 preamble - declaration of intents the classical foundation can be

315 views • 20 slides
Is Constructive Logic relevant for Computer Science? Thorsten Altenkirch University of

Is Constructive Logic relevant for Computer Science? Thorsten Altenkirch University of

Is Constructive Logic relevant for Computer Science? Thorsten Altenkirch University of Nottingham BCTCS 05 p.1/16 Birth of Modern Mathematics BCTCS 05 p.2/16 Birth of Modern Mathematics Isaac Newton (1642 - 1727) BCTCS 05 p.2/16

827 views • 57 slides

More recommend