Non-uniform Concrete security: an example cracks in the concrete: - - PowerPoint PPT Presentation

Non-uniform cracks in the concrete: the power of free precomputation

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven Full 53-page paper, including progress towards formalizing collision resistance: eprint.iacr.org/2012/318 Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”.

Non-uniform cracks in the concrete: the power of free precomputation

• D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven Full 53-page paper, including progress towards formalizing collision resistance: eprint.iacr.org/2012/318 Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob.

Non-uniform in the concrete: wer of free precomputation Bernstein University of Illinois at Chicago & echnische Universiteit Eindhoven Lange echnische Universiteit Eindhoven 53-page paper, including progress towards rmalizing collision resistance: eprint.iacr.org/2012/318 Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob. P-256 discrete- ✮ total TLS-ECDHE-P-256 Should TLS

concrete: free precomputation Illinois at Chicago & Universiteit Eindhoven Universiteit Eindhoven er, rogress towards ion resistance: eprint.iacr.org/2012/318 Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob. P-256 discrete-log ✮ total TLS-ECDHE-P-256 Should TLS users

recomputation Chicago & Eindhoven Eindhoven resistance: eprint.iacr.org/2012/318 Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob. P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob. P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob. P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

• No. Many researchers have

tried and failed to find good P-256 discrete-log attacks.

Concrete security: an example What is the best NIST P-256 discrete-log attack algorithm? ECDL input: P-256 points P❀ ◗, where P is a standard generator. ECDL output: logP ◗. Standard definition of “best”: minimize “time”. More generally, allow attacks with ❁100% success probability; analyze tradeoffs between “time” and success probability. This talk focuses on high prob. P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

• No. Many researchers have

tried and failed to find good P-256 discrete-log attacks. Standard conjecture: For each ♣ ✷ [0❀ 1], each P-256 ECDL algorithm with success probability ✕♣ takes “time” ✕2128♣1❂2. Similar conjectures for AES-128, RSA-3072, etc.: see, e.g., 2005 Bellare–Rogaway.

Concrete security: an example is the best NIST P-256 discrete-log attack algorithm? input: P-256 points P❀ ◗, P is a standard generator.

• utput: logP ◗.

Standard definition of “best”: minimize “time”. generally, allow attacks with ❁ success probability; analyze tradeoffs between and success probability. talk focuses on high prob. P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

• No. Many researchers have

tried and failed to find good P-256 discrete-log attacks. Standard conjecture: For each ♣ ✷ [0❀ 1], each P-256 ECDL algorithm with success probability ✕♣ takes “time” ✕2128♣1❂2. Similar conjectures for AES-128, RSA-3072, etc.: see, e.g., 2005 Bellare–Rogaway. Concrete Another Each TLS-ECDHE-P-256 with succes ✕♣ takes “time” ✕ ♣ ❂

y: an example est NIST P-256 attack algorithm? P-256 points P❀ ◗, P standard generator. logP ◗. definition of “best”: ”. allow attacks with ❁ probability; tradeoffs between success probability. cuses on high prob. P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

• No. Many researchers have

tried and failed to find good P-256 discrete-log attacks. Standard conjecture: For each ♣ ✷ [0❀ 1], each P-256 ECDL algorithm with success probability ✕♣ takes “time” ✕2128♣1❂2. Similar conjectures for AES-128, RSA-3072, etc.: see, e.g., 2005 Bellare–Rogaway. Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 with success probabilit ✕♣ takes “time” ✕2128♣ ❂

example P-256 rithm?

• ints P❀ ◗,

P generator.

P ◗

est”: attacks with ❁ y; robability. prob. P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

• No. Many researchers have

tried and failed to find good P-256 discrete-log attacks. Standard conjecture: For each ♣ ✷ [0❀ 1], each P-256 ECDL algorithm with success probability ✕♣ takes “time” ✕2128♣1❂2. Similar conjectures for AES-128, RSA-3072, etc.: see, e.g., 2005 Bellare–Rogaway. Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2.

P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

• No. Many researchers have

tried and failed to find good P-256 discrete-log attacks. Standard conjecture: For each ♣ ✷ [0❀ 1], each P-256 ECDL algorithm with success probability ✕♣ takes “time” ✕2128♣1❂2. Similar conjectures for AES-128, RSA-3072, etc.: see, e.g., 2005 Bellare–Rogaway. Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2.

P-256 discrete-log attack ✮ total TLS-ECDHE-P-256 break! Should TLS users worry?

• No. Many researchers have

tried and failed to find good P-256 discrete-log attacks. Standard conjecture: For each ♣ ✷ [0❀ 1], each P-256 ECDL algorithm with success probability ✕♣ takes “time” ✕2128♣1❂2. Similar conjectures for AES-128, RSA-3072, etc.: see, e.g., 2005 Bellare–Rogaway. Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2. Why should users have any confidence in this conjecture? How many researchers have really tried to break ECDHE-P-256? ECDSA-P-256? ECIES-P-256? ECMQV-P-256? Other P-256-based protocols? Far less attention than for ECDL.

discrete-log attack ✮ TLS-ECDHE-P-256 break! TLS users worry? Many researchers have and failed to find good discrete-log attacks. Standard conjecture: each ♣ ✷ [0❀ 1], P-256 ECDL algorithm success probability ✕♣ “time” ✕2128♣1❂2. r conjectures for AES-128, RSA-3072, etc.: see, e.g., Bellare–Rogaway. Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2. Why should users have any confidence in this conjecture? How many researchers have really tried to break ECDHE-P-256? ECDSA-P-256? ECIES-P-256? ECMQV-P-256? Other P-256-based protocols? Far less attention than for ECDL. Provable Prove: if a TLS-ECDHE-P-256 then there a P-256 with simila and success

log attack ✮ TLS-ECDHE-P-256 break! users worry? rchers have to find good log attacks. conjecture: ♣ ✷ ❀ 1], ECDL algorithm robability ✕♣ ✕ 128♣1❂2. tures for AES-128, see, e.g., –Rogaway. Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2. Why should users have any confidence in this conjecture? How many researchers have really tried to break ECDHE-P-256? ECDSA-P-256? ECIES-P-256? ECMQV-P-256? Other P-256-based protocols? Far less attention than for ECDL. Provable security to Prove: if there is a TLS-ECDHE-P-256 then there is a P-256 discrete-log with similar “time” and success probabilit

✮ break! have

• d

attacks. ♣ ✷ ❀ rithm ✕♣ ✕ ♣ ❂ AES-128, Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2. Why should users have any confidence in this conjecture? How many researchers have really tried to break ECDHE-P-256? ECDSA-P-256? ECIES-P-256? ECMQV-P-256? Other P-256-based protocols? Far less attention than for ECDL. Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability.

Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2. Why should users have any confidence in this conjecture? How many researchers have really tried to break ECDHE-P-256? ECDSA-P-256? ECIES-P-256? ECMQV-P-256? Other P-256-based protocols? Far less attention than for ECDL. Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability.

Concrete reductions Another conjecture: Each TLS-ECDHE-P-256 attack with success probability ✕♣ takes “time” ✕2128♣1❂2. Why should users have any confidence in this conjecture? How many researchers have really tried to break ECDHE-P-256? ECDSA-P-256? ECIES-P-256? ECMQV-P-256? Other P-256-based protocols? Far less attention than for ECDL. Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability. Oops: This turns out to be hard. But changing DL to DDH + adding more assumptions allows a proof: Crypto 2012 Jager–Kohlar–Sch¨ age–Schwenk “On the security of TLS-DHE in the standard model”.

Concrete reductions Another conjecture: TLS-ECDHE-P-256 attack success probability ✕♣ “time” ✕2128♣1❂2. should users have any confidence in this conjecture? many researchers really tried to break ECDHE-P-256? ECDSA-P-256? ECIES-P-256? ECMQV-P-256? P-256-based protocols? less attention than for ECDL. Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability. Oops: This turns out to be hard. But changing DL to DDH + adding more assumptions allows a proof: Crypto 2012 Jager–Kohlar–Sch¨ age–Schwenk “On the security of TLS-DHE in the standard model”. Similar pattern “provable Protocol that hardness P (e.g., P-256 security ◗ After extensive P maybe gain

• f P, and

◗

reductions conjecture: TLS-ECDHE-P-256 attack robability ✕♣ ✕ 128♣1❂2. ers have any this conjecture? rchers to break ECDSA-P-256? ECMQV-P-256? P-256-based protocols? attention than for ECDL. Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability. Oops: This turns out to be hard. But changing DL to DDH + adding more assumptions allows a proof: Crypto 2012 Jager–Kohlar–Sch¨ age–Schwenk “On the security of TLS-DHE in the standard model”. Similar pattern throughout “provable security” Protocol designers that hardness of a P (e.g., P-256 DDH) security of various ◗ After extensive cryptanalysis P maybe gain confidence

• f P, and hence in

◗

attack ✕♣ ✕ ♣ ❂ any conjecture? ECDSA-P-256? ECMQV-P-256? cols? ECDL. Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability. Oops: This turns out to be hard. But changing DL to DDH + adding more assumptions allows a proof: Crypto 2012 Jager–Kohlar–Sch¨ age–Schwenk “On the security of TLS-DHE in the standard model”. Similar pattern throughout the “provable security” literature. Protocol designers (try to) p that hardness of a problem P (e.g., P-256 DDH) implies security of various protocols ◗ After extensive cryptanalysis P maybe gain confidence in ha

• f P, and hence in security of ◗

Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability. Oops: This turns out to be hard. But changing DL to DDH + adding more assumptions allows a proof: Crypto 2012 Jager–Kohlar–Sch¨ age–Schwenk “On the security of TLS-DHE in the standard model”. Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., P-256 DDH) implies security of various protocols ◗. After extensive cryptanalysis of P, maybe gain confidence in hardness

• f P, and hence in security of ◗.

Provable security to the rescue! Prove: if there is a TLS-ECDHE-P-256 attack then there is a P-256 discrete-log attack with similar “time” and success probability. Oops: This turns out to be hard. But changing DL to DDH + adding more assumptions allows a proof: Crypto 2012 Jager–Kohlar–Sch¨ age–Schwenk “On the security of TLS-DHE in the standard model”. Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., P-256 DDH) implies security of various protocols ◗. After extensive cryptanalysis of P, maybe gain confidence in hardness

• f P, and hence in security of ◗.

Why not directly cryptanalyze ◗? Cryptanalysis is hard work: have to focus on a few problems P. Proofs scale to many protocols ◗.

Provable security to the rescue! if there is TLS-ECDHE-P-256 attack there is P-256 discrete-log attack similar “time” success probability. This turns out to be hard. changing DL to DDH adding more assumptions a proof: Crypto 2012 Jager–Kohlar–Sch¨ age–Schwenk the security of TLS-DHE standard model”. Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., P-256 DDH) implies security of various protocols ◗. After extensive cryptanalysis of P, maybe gain confidence in hardness

• f P, and hence in security of ◗.

Why not directly cryptanalyze ◗? Cryptanalysis is hard work: have to focus on a few problems P. Proofs scale to many protocols ◗. Interlude How much following def pidigit(n0,n1,n2): if n0 if if return if return if n1 if return if n2 return

y to the rescue! is TLS-ECDHE-P-256 attack discrete-log attack “time” robability. turns out to be hard. L to DDH assumptions Crypto 2012 r–Sch¨ age–Schwenk

• f TLS-DHE

model”. Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., P-256 DDH) implies security of various protocols ◗. After extensive cryptanalysis of P, maybe gain confidence in hardness

• f P, and hence in security of ◗.

Why not directly cryptanalyze ◗? Cryptanalysis is hard work: have to focus on a few problems P. Proofs scale to many protocols ◗. Interlude regarding How much “time” following algorithm def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == return if n2 == 0: return if n1 == 0: if n2 == 0: return if n2 == 0: return return

scue! attack attack e hard. assumptions 2012 age–Schwenk LS-DHE Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., P-256 DDH) implies security of various protocols ◗. After extensive cryptanalysis of P, maybe gain confidence in hardness

• f P, and hence in security of ◗.

Why not directly cryptanalyze ◗? Cryptanalysis is hard work: have to focus on a few problems P. Proofs scale to many protocols ◗. Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return return if n2 == 0: return return if n1 == 0: if n2 == 0: return return if n2 == 0: return return

Similar pattern throughout the “provable security” literature. Protocol designers (try to) prove that hardness of a problem P (e.g., P-256 DDH) implies security of various protocols ◗. After extensive cryptanalysis of P, maybe gain confidence in hardness

• f P, and hence in security of ◗.

Why not directly cryptanalyze ◗? Cryptanalysis is hard work: have to focus on a few problems P. Proofs scale to many protocols ◗. Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6

r pattern throughout the rovable security” literature. col designers (try to) prove hardness of a problem P P-256 DDH) implies y of various protocols ◗. extensive cryptanalysis of P, gain confidence in hardness P and hence in security of ◗. not directly cryptanalyze ◗? Cryptanalysis is hard work: have cus on a few problems P. scale to many protocols ◗. Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6 Students learn to Skipped This algo

throughout the ecurity” literature. designers (try to) prove a problem P DDH) implies rious protocols ◗. cryptanalysis of P, confidence in hardness P in security of ◗. cryptanalyze ◗? hard work: have few problems P. many protocols ◗. Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6 Students in algorithm learn to count executed Skipped branches t This algorithm uses

throughout the literature. to) prove P cols ◗. cryptanalysis of P, hardness P y of ◗. cryptanalyze ◗? rk: have roblems P. rotocols ◗. Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps

Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”.

Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”.

Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 258- “step” P-256 discrete-log attack (with 100% success probability).

Interlude regarding “time” How much “time” does the following algorithm take? def pidigit(n0,n1,n2): if n0 == 0: if n1 == 0: if n2 == 0: return 3 return 1 if n2 == 0: return 4 return 1 if n1 == 0: if n2 == 0: return 5 return 9 if n2 == 0: return 2 return 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 258- “step” P-256 discrete-log attack (with 100% success probability). If “time” means “steps” then the standard conjectures are wrong.

Interlude regarding “time” much “time” does the wing algorithm take? pidigit(n0,n1,n2): n0 == 0: n1 == 0: if n2 == 0: return 3 return 1 n2 == 0: return 4 return 1 n1 == 0: n2 == 0: return 5 return 9 n2 == 0: return 2 return 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 258- “step” P-256 discrete-log attack (with 100% success probability). If “time” means “steps” then the standard conjectures are wrong. 1994 Bella “We say ❆ is a (t❀ q ❆ runs in t makes at q ❖

rding “time” “time” does the rithm take? pidigit(n0,n1,n2): 0: 0: return 3 1 0: return 4 1 0: return 5 9 return 2 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 258- “step” P-256 discrete-log attack (with 100% success probability). If “time” means “steps” then the standard conjectures are wrong. 1994 Bellare–Kilian “We say that ❆ is a (t❀ q)-adversa ❆ runs in at most t makes at most q queries ❖

e return 3 1 4 1 5 9 2 6 Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 258- “step” P-256 discrete-log attack (with 100% success probability). If “time” means “steps” then the standard conjectures are wrong. 1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖

Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 258- “step” P-256 discrete-log attack (with 100% success probability). If “time” means “steps” then the standard conjectures are wrong. 1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖.”

Students in algorithm courses learn to count executed “steps”. Skipped branches take 0 “steps”. This algorithm uses 4 “steps”. Generalization: There exists an algorithm that, given ♥ ❁ 2❦, prints the ♥th digit of ✙ using ❦ + 1 “steps”. Variant: There exists a 258- “step” P-256 discrete-log attack (with 100% success probability). If “time” means “steps” then the standard conjectures are wrong. 1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖.” Oops: table-lookup attack has very small t. Paper conjectured “useful” DES security bounds. Any reasonable interpretation of conjecture was false, given paper’s definition. Theorems in paper were vacuous.

Students in algorithm courses

• count executed “steps”.

ed branches take 0 “steps”. algorithm uses 4 “steps”. Generalization: There exists an rithm that, given ♥ ❁ 2❦, the ♥th digit of ✙ ❦ + 1 “steps”. riant: There exists a 258- P-256 discrete-log attack 100% success probability). “time” means “steps” then the rd conjectures are wrong. 1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖.” Oops: table-lookup attack has very small t. Paper conjectured “useful” DES security bounds. Any reasonable interpretation of conjecture was false, given paper’s definition. Theorems in paper were vacuous. 2000 Bella “We fix Access Ma model of ✿ ✿ ✿ ❆ running time ❆ execution

• f ❆’s description ✿ ✿ ✿

convention caused [b tables ✿ ✿ ✿

rithm courses executed “steps”. ranches take 0 “steps”. uses 4 “steps”. There exists an given ♥ ❁ 2❦, ♥ digit of ✙ ❦ teps”. exists a 258- discrete-log attack success probability). “steps” then the conjectures are wrong. 1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖.” Oops: table-lookup attack has very small t. Paper conjectured “useful” DES security bounds. Any reasonable interpretation of conjecture was false, given paper’s definition. Theorems in paper were vacuous. 2000 Bellare–Kilian “We fix some particula Access Machine (RAM) model of computation. ✿ ✿ ✿ ❆ running time [means] ❆ execution time plus

• f ❆’s description ✿ ✿ ✿

convention eliminates caused [by] arbitra tables ✿ ✿ ✿ ”

courses “steps”. “steps”. ps”. exists an ♥ ❁ 2❦, ♥ ✙ ❦ 258- attack robability). then the wrong. 1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖.” Oops: table-lookup attack has very small t. Paper conjectured “useful” DES security bounds. Any reasonable interpretation of conjecture was false, given paper’s definition. Theorems in paper were vacuous. 2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆ running time [means] ❆’s actual execution time plus the length

• f ❆’s description ✿ ✿ ✿ This

convention eliminates pathologies caused [by] arbitrarily large lo tables ✿ ✿ ✿ ”

1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖.” Oops: table-lookup attack has very small t. Paper conjectured “useful” DES security bounds. Any reasonable interpretation of conjecture was false, given paper’s definition. Theorems in paper were vacuous. 2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆’s running time [means] ❆’s actual execution time plus the length

• f ❆’s description ✿ ✿ ✿ This

convention eliminates pathologies caused [by] arbitrarily large lookup tables ✿ ✿ ✿ ”

1994 Bellare–Kilian–Rogaway: “We say that ❆ is a (t❀ q)-adversary if ❆ runs in at most t steps and makes at most q queries to ❖.” Oops: table-lookup attack has very small t. Paper conjectured “useful” DES security bounds. Any reasonable interpretation of conjecture was false, given paper’s definition. Theorems in paper were vacuous. 2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆’s running time [means] ❆’s actual execution time plus the length

• f ❆’s description ✿ ✿ ✿ This

convention eliminates pathologies caused [by] arbitrarily large lookup tables ✿ ✿ ✿ ” Main point of our paper: There are more pathologies! Illustrative example: ECDL.

Bellare–Kilian–Rogaway: ay that ❆ (t❀ q)-adversary if ❆ runs in at most t steps and at most q queries to ❖.” table-lookup attack very small t. conjectured “useful” DES y bounds. Any reasonable retation of conjecture was given paper’s definition. rems in paper were vacuous. 2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆’s running time [means] ❆’s actual execution time plus the length

• f ❆’s description ✿ ✿ ✿ This

convention eliminates pathologies caused [by] arbitrarily large lookup tables ✿ ✿ ✿ ” Main point of our paper: There are more pathologies! Illustrative example: ECDL. The rho Simplified, Make a pseudo-random ❘0❀ ❘1❀ ❘ ❀ ✿ ✿ ✿ ❤P✐ where current the next ❘✐ ❢ ❘✐ Birthday Randomly ❵ elements after about ♣ ✙❵❂ P-256: ❵ ✙ ✙ The walk Cycle-finding (e.g., Flo

–Kilian–Rogaway: ❆ t❀ q -adversary if ❆ most t steps and q queries to ❖.”

• kup attack

t. conjectured “useful” DES Any reasonable conjecture was er’s definition. er were vacuous. 2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆’s running time [means] ❆’s actual execution time plus the length

• f ❆’s description ✿ ✿ ✿ This

convention eliminates pathologies caused [by] arbitrarily large lookup tables ✿ ✿ ✿ ” Main point of our paper: There are more pathologies! Illustrative example: ECDL. The rho method Simplified, non-parallel Make a pseudo-random ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the ❤P✐ where current point the next point: ❘✐ ❢ ❘✐ Birthday paradox: Randomly choosing ❵ elements picks one after about ♣ ✙❵❂2 P-256: ❵ ✙ 2256 so ✙ The walk now enters Cycle-finding algorith (e.g., Floyd) quickly

ay: ❆ t❀ q ❆ t and q to ❖.” t “useful” DES reasonable conjecture was definition. vacuous. 2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆’s running time [means] ❆’s actual execution time plus the length

• f ❆’s description ✿ ✿ ✿ This

convention eliminates pathologies caused [by] arbitrarily large lookup tables ✿ ✿ ✿ ” Main point of our paper: There are more pathologies! Illustrative example: ECDL. The rho method Simplified, non-parallel rho: Make a pseudo-random walk ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐ where current point determines the next point: ❘✐+1 = ❢(❘✐ Birthday paradox: Randomly choosing from ❵ elements picks one element t after about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 dra The walk now enters a cycle. Cycle-finding algorithm (e.g., Floyd) quickly detects

2000 Bellare–Kilian–Rogaway: “We fix some particular Random Access Machine (RAM) as a model of computation. ✿ ✿ ✿ ❆’s running time [means] ❆’s actual execution time plus the length

• f ❆’s description ✿ ✿ ✿ This

convention eliminates pathologies caused [by] arbitrarily large lookup tables ✿ ✿ ✿ ” Main point of our paper: There are more pathologies! Illustrative example: ECDL. The rho method Simplified, non-parallel rho: Make a pseudo-random walk ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐, where current point determines the next point: ❘✐+1 = ❢(❘✐). Birthday paradox: Randomly choosing from ❵ elements picks one element twice after about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 draws. The walk now enters a cycle. Cycle-finding algorithm (e.g., Floyd) quickly detects this.

Bellare–Kilian–Rogaway: x some particular Random Access Machine (RAM) as a

• f computation. ✿ ✿ ✿ ❆’s

running time [means] ❆’s actual execution time plus the length ❆ description ✿ ✿ ✿ This convention eliminates pathologies [by] arbitrarily large lookup ✿ ✿ ✿ ” point of our paper: are more pathologies! Illustrative example: ECDL. The rho method Simplified, non-parallel rho: Make a pseudo-random walk ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐, where current point determines the next point: ❘✐+1 = ❢(❘✐). Birthday paradox: Randomly choosing from ❵ elements picks one element twice after about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 draws. The walk now enters a cycle. Cycle-finding algorithm (e.g., Floyd) quickly detects this. Goal: Compute

P ◗

Assume ✐ we know ①✐❀ ②✐ ✷ ❂❵ so that ❘✐ ②✐P ①✐◗ Then ❘✐ ❘❥ ②✐P + ①✐◗ ②❥P ①❥◗ so (②✐ ②❥ P ①❥ ①✐ ◗ If ①✐ ✻= ①❥ logP ◗ = ②❥ ②✐ ❂ ①✐ ①❥

–Kilian–Rogaway: rticular Random (RAM) as a

• utation. ✿ ✿ ✿ ❆’s

[means] ❆’s actual plus the length ❆ description ✿ ✿ ✿ This eliminates pathologies rbitrarily large lookup ✿ ✿ ✿

• ur paper:

pathologies! example: ECDL. The rho method Simplified, non-parallel rho: Make a pseudo-random walk ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐, where current point determines the next point: ❘✐+1 = ❢(❘✐). Birthday paradox: Randomly choosing from ❵ elements picks one element twice after about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 draws. The walk now enters a cycle. Cycle-finding algorithm (e.g., Floyd) quickly detects this. Goal: Compute logP ◗ Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵ so that ❘✐ = ②✐P + ①✐◗ Then ❘✐ = ❘❥ means ②✐P + ①✐◗ = ②❥P ①❥◗ so (②✐ ②❥)P = (①❥ ①✐ ◗ If ①✐ ✻= ①❥ the DLP logP ◗ = (②❥ ②✐)❂ ①✐ ①❥

ay: Random as a ✿ ✿ ✿ ❆’s ❆ actual length ❆ ✿ ✿ ✿ This pathologies rge lookup ✿ ✿ ✿ pathologies! ECDL. The rho method Simplified, non-parallel rho: Make a pseudo-random walk ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐, where current point determines the next point: ❘✐+1 = ❢(❘✐). Birthday paradox: Randomly choosing from ❵ elements picks one element twice after about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 draws. The walk now enters a cycle. Cycle-finding algorithm (e.g., Floyd) quickly detects this. Goal: Compute logP ◗. Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵Z so that ❘✐ = ②✐P + ①✐◗. Then ❘✐ = ❘❥ means that ②✐P + ①✐◗ = ②❥P + ①❥◗ so (②✐ ②❥)P = (①❥ ①✐)◗. If ①✐ ✻= ①❥ the DLP is solved: logP ◗ = (②❥ ②✐)❂(①✐ ①❥

The rho method Simplified, non-parallel rho: Make a pseudo-random walk ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐, where current point determines the next point: ❘✐+1 = ❢(❘✐). Birthday paradox: Randomly choosing from ❵ elements picks one element twice after about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 draws. The walk now enters a cycle. Cycle-finding algorithm (e.g., Floyd) quickly detects this. Goal: Compute logP ◗. Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵Z so that ❘✐ = ②✐P + ①✐◗. Then ❘✐ = ❘❥ means that ②✐P + ①✐◗ = ②❥P + ①❥◗ so (②✐ ②❥)P = (①❥ ①✐)◗. If ①✐ ✻= ①❥ the DLP is solved: logP ◗ = (②❥ ②✐)❂(①✐ ①❥).

The rho method Simplified, non-parallel rho: Make a pseudo-random walk ❘0❀ ❘1❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐, where current point determines the next point: ❘✐+1 = ❢(❘✐). Birthday paradox: Randomly choosing from ❵ elements picks one element twice after about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 draws. The walk now enters a cycle. Cycle-finding algorithm (e.g., Floyd) quickly detects this. Goal: Compute logP ◗. Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵Z so that ❘✐ = ②✐P + ①✐◗. Then ❘✐ = ❘❥ means that ②✐P + ①✐◗ = ②❥P + ①❥◗ so (②✐ ②❥)P = (①❥ ①✐)◗. If ①✐ ✻= ①❥ the DLP is solved: logP ◗ = (②❥ ②✐)❂(①✐ ①❥). e.g. “base-(P❀ ◗) r-adding walk”: precompute ❙1❀ ❙2❀ ✿ ✿ ✿ ❀ ❙r as random combinations ❛P + ❜◗; define ❢(❘) = ❘ + ❙❍(❘) where ❍ hashes to ❢1❀ 2❀ ✿ ✿ ✿ ❀ r❣.

rho method Simplified, non-parallel rho: a pseudo-random walk ❘ ❀ ❘ ❀ ❘2❀ ✿ ✿ ✿ in the group ❤P✐, current point determines next point: ❘✐+1 = ❢(❘✐). Birthday paradox: Randomly choosing from ❵ elements picks one element twice about ♣ ✙❵❂2 draws. P-256: ❵ ✙ 2256 so ✙2128 draws. alk now enters a cycle. Cycle-finding algorithm Floyd) quickly detects this. Goal: Compute logP ◗. Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵Z so that ❘✐ = ②✐P + ①✐◗. Then ❘✐ = ❘❥ means that ②✐P + ①✐◗ = ②❥P + ①❥◗ so (②✐ ②❥)P = (①❥ ①✐)◗. If ①✐ ✻= ①❥ the DLP is solved: logP ◗ = (②❥ ②✐)❂(①✐ ①❥). e.g. “base-(P❀ ◗) r-adding walk”: precompute ❙1❀ ❙2❀ ✿ ✿ ✿ ❀ ❙r as random combinations ❛P + ❜◗; define ❢(❘) = ❘ + ❙❍(❘) where ❍ hashes to ❢1❀ 2❀ ✿ ✿ ✿ ❀ r❣. Parallel rho 1994 van Declare some ❤P✐ the set of e.g., all ❘ ✷ ❤P✐ bits of rep ❘ Perform, different ◗ ②P but same ❢ Terminate

• nce it hits

Report p Server receives all distinguished

non-parallel rho: pseudo-random walk ❘ ❀ ❘ ❀ ❘ ❀ ✿ ✿ ✿ in the group ❤P✐,

• int determines

❘✐+1 = ❢(❘✐). x:

• sing from ❵
• ne element twice

♣ ✙❵❂2 draws. ❵ ✙ so ✙2128 draws. enters a cycle. algorithm quickly detects this. Goal: Compute logP ◗. Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵Z so that ❘✐ = ②✐P + ①✐◗. Then ❘✐ = ❘❥ means that ②✐P + ①✐◗ = ②❥P + ①❥◗ so (②✐ ②❥)P = (①❥ ①✐)◗. If ①✐ ✻= ①❥ the DLP is solved: logP ◗ = (②❥ ②✐)❂(①✐ ①❥). e.g. “base-(P❀ ◗) r-adding walk”: precompute ❙1❀ ❙2❀ ✿ ✿ ✿ ❀ ❙r as random combinations ❛P + ❜◗; define ❢(❘) = ❘ + ❙❍(❘) where ❍ hashes to ❢1❀ 2❀ ✿ ✿ ✿ ❀ r❣. Parallel rho 1994 van Oorschot–Wiener: Declare some subset ❤P✐ the set of distinguished e.g., all ❘ ✷ ❤P✐ where bits of representation ❘ Perform, in parallel, different starting p ◗ ②P but same update function ❢ Terminate each walk

• nce it hits a distinguished

Report point to central Server receives, sto all distinguished points.

rho: alk ❘ ❀ ❘ ❀ ❘ ❀ ✿ ✿ ✿ group ❤P✐, determines ❘✐ ❢(❘✐). ❵ element twice ♣ ✙❵❂ ws. ❵ ✙ ✙ draws. cycle. detects this. Goal: Compute logP ◗. Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵Z so that ❘✐ = ②✐P + ①✐◗. Then ❘✐ = ❘❥ means that ②✐P + ①✐◗ = ②❥P + ①❥◗ so (②✐ ②❥)P = (①❥ ①✐)◗. If ①✐ ✻= ①❥ the DLP is solved: logP ◗ = (②❥ ②✐)❂(①✐ ①❥). e.g. “base-(P❀ ◗) r-adding walk”: precompute ❙1❀ ❙2❀ ✿ ✿ ✿ ❀ ❙r as random combinations ❛P + ❜◗; define ❢(❘) = ❘ + ❙❍(❘) where ❍ hashes to ❢1❀ 2❀ ✿ ✿ ✿ ❀ r❣. Parallel rho 1994 van Oorschot–Wiener: Declare some subset of ❤P✐ the set of distinguished points e.g., all ❘ ✷ ❤P✐ where last bits of representation of ❘ a Perform, in parallel, walks fo different starting points ◗+②P but same update function ❢. Terminate each walk

• nce it hits a distinguished p

Report point to central server. Server receives, stores, and so all distinguished points.

Goal: Compute logP ◗. Assume that for each ✐ we know ①✐❀ ②✐ ✷ Z❂❵Z so that ❘✐ = ②✐P + ①✐◗. Then ❘✐ = ❘❥ means that ②✐P + ①✐◗ = ②❥P + ①❥◗ so (②✐ ②❥)P = (①❥ ①✐)◗. If ①✐ ✻= ①❥ the DLP is solved: logP ◗ = (②❥ ②✐)❂(①✐ ①❥). e.g. “base-(P❀ ◗) r-adding walk”: precompute ❙1❀ ❙2❀ ✿ ✿ ✿ ❀ ❙r as random combinations ❛P + ❜◗; define ❢(❘) = ❘ + ❙❍(❘) where ❍ hashes to ❢1❀ 2❀ ✿ ✿ ✿ ❀ r❣. Parallel rho 1994 van Oorschot–Wiener: Declare some subset of ❤P✐ to be the set of distinguished points: e.g., all ❘ ✷ ❤P✐ where last 20 bits of representation of ❘ are 0. Perform, in parallel, walks for different starting points ◗+②P but same update function ❢. Terminate each walk

• nce it hits a distinguished point.

Report point to central server. Server receives, stores, and sorts all distinguished points.

Compute logP ◗. Assume that for each ✐ know ①✐❀ ②✐ ✷ Z❂❵Z that ❘✐ = ②✐P + ①✐◗. ❘✐ = ❘❥ means that ②✐P ①✐◗ = ②❥P + ①❥◗ ②✐ ②❥)P = (①❥ ①✐)◗. ①✐ ✻ ①❥ the DLP is solved:

P ◗ = (②❥ ②✐)❂(①✐ ①❥).

“base-(P❀ ◗) r-adding walk”: recompute ❙1❀ ❙2❀ ✿ ✿ ✿ ❀ ❙r random combinations ❛P + ❜◗; ❢(❘) = ❘ + ❙❍(❘) ❍ hashes to ❢1❀ 2❀ ✿ ✿ ✿ ❀ r❣. Parallel rho 1994 van Oorschot–Wiener: Declare some subset of ❤P✐ to be the set of distinguished points: e.g., all ❘ ✷ ❤P✐ where last 20 bits of representation of ❘ are 0. Perform, in parallel, walks for different starting points ◗+②P but same update function ❢. Terminate each walk

• nce it hits a distinguished point.

Report point to central server. Server receives, stores, and sorts all distinguished points. State of Can break ❵ in ♣ ✙❵❂ Use negation factor ♣ Solving DLP takes ✙2 This is the cryptanalysts

logP ◗. each ✐ ①✐❀ ②✐ ✷ Z❂❵Z ❘✐ ②✐P + ①✐◗. ❘✐ ❘❥ means that ②✐P ①✐◗ ②❥P + ①❥◗ ②✐ ②❥ P (①❥ ①✐)◗. ①✐ ✻ ①❥ DLP is solved:

P ◗

②❥ ②✐)❂(①✐ ①❥). P❀ ◗) r-adding walk”: ❙ ❀ ❙2❀ ✿ ✿ ✿ ❀ ❙r combinations ❛P + ❜◗; ❢ ❘ ❘ + ❙❍(❘) ❍ to ❢1❀ 2❀ ✿ ✿ ✿ ❀ r❣. Parallel rho 1994 van Oorschot–Wiener: Declare some subset of ❤P✐ to be the set of distinguished points: e.g., all ❘ ✷ ❤P✐ where last 20 bits of representation of ❘ are 0. Perform, in parallel, walks for different starting points ◗+②P but same update function ❢. Terminate each walk

• nce it hits a distinguished point.

Report point to central server. Server receives, stores, and sorts all distinguished points. State of the art Can break DLP in ❵ in ♣ ✙❵❂2 group Use negation map factor ♣ 2 for elliptic Solving DLP on NIST takes ✙2128 group This is the best algo cryptanalysts have

P ◗

✐ ①✐❀ ②✐ ✷ ❂❵ ❘✐ ②✐P ①✐◗ ❘✐ ❘❥ ②✐P ①✐◗ ②❥P ①❥◗ ②✐ ②❥ P ①❥ ①✐ ◗. ①✐ ✻ ①❥ solved:

P ◗

②❥ ②✐ ❂ ①✐ ①❥). P❀ ◗ r walk”: ❙ ❀ ❙ ❀ ✿ ✿ ✿ ❀ ❙r ❛P + ❜◗; ❢ ❘ ❘ ❙❍ ❘ ❍ ❢ ❀ ❀ ✿ ✿ ✿ ❀ r❣. Parallel rho 1994 van Oorschot–Wiener: Declare some subset of ❤P✐ to be the set of distinguished points: e.g., all ❘ ✷ ❤P✐ where last 20 bits of representation of ❘ are 0. Perform, in parallel, walks for different starting points ◗+②P but same update function ❢. Terminate each walk

• nce it hits a distinguished point.

Report point to central server. Server receives, stores, and sorts all distinguished points. State of the art Can break DLP in group of o ❵ in ♣ ✙❵❂2 group operations. Use negation map to gain factor ♣ 2 for elliptic curves. Solving DLP on NIST P-256 takes ✙2128 group operations. This is the best algorithm tha cryptanalysts have published

Parallel rho 1994 van Oorschot–Wiener: Declare some subset of ❤P✐ to be the set of distinguished points: e.g., all ❘ ✷ ❤P✐ where last 20 bits of representation of ❘ are 0. Perform, in parallel, walks for different starting points ◗+②P but same update function ❢. Terminate each walk

• nce it hits a distinguished point.

Report point to central server. Server receives, stores, and sorts all distinguished points. State of the art Can break DLP in group of order ❵ in ♣ ✙❵❂2 group operations. Use negation map to gain factor ♣ 2 for elliptic curves. Solving DLP on NIST P-256 takes ✙2128 group operations. This is the best algorithm that cryptanalysts have published.

Parallel rho 1994 van Oorschot–Wiener: Declare some subset of ❤P✐ to be the set of distinguished points: e.g., all ❘ ✷ ❤P✐ where last 20 bits of representation of ❘ are 0. Perform, in parallel, walks for different starting points ◗+②P but same update function ❢. Terminate each walk

• nce it hits a distinguished point.

Report point to central server. Server receives, stores, and sorts all distinguished points. State of the art Can break DLP in group of order ❵ in ♣ ✙❵❂2 group operations. Use negation map to gain factor ♣ 2 for elliptic curves. Solving DLP on NIST P-256 takes ✙2128 group operations. This is the best algorithm that cryptanalysts have published. But is it the best algorithm that exists?

rallel rho van Oorschot–Wiener: re some subset of ❤P✐ to be set of distinguished points: all ❘ ✷ ❤P✐ where last 20 representation of ❘ are 0. rm, in parallel, walks for different starting points ◗+②P same update function ❢. erminate each walk it hits a distinguished point. rt point to central server. receives, stores, and sorts distinguished points. State of the art Can break DLP in group of order ❵ in ♣ ✙❵❂2 group operations. Use negation map to gain factor ♣ 2 for elliptic curves. Solving DLP on NIST P-256 takes ✙2128 group operations. This is the best algorithm that cryptanalysts have published. But is it the best algorithm that exists? This pap Assuming

• verwhelmingly

computer There exists algorithm ✙ and has ✙ “Time” Inescapable standard P-256 ECDL ECDHE

rschot–Wiener: subset of ❤P✐ to be distinguished points: ❘ ✷ ❤P✐ where last 20 resentation of ❘ are 0. rallel, walks for points ◗+②P date function ❢. walk distinguished point. central server. stores, and sorts points. State of the art Can break DLP in group of order ❵ in ♣ ✙❵❂2 group operations. Use negation map to gain factor ♣ 2 for elliptic curves. Solving DLP on NIST P-256 takes ✙2128 group operations. This is the best algorithm that cryptanalysts have published. But is it the best algorithm that exists? This paper’s ECDL Assuming plausible

• verwhelmingly verified

computer experiment: There exists a P-256 algorithm that takes ✙ and has success probabilit ✙ “Time” includes algo Inescapable conclusion: standard conjectures P-256 ECDL hardness, ECDHE security, etc.)

rschot–Wiener: ❤P✐ to be

• ints:

❘ ✷ ❤P✐ last 20 ❘ are 0. for ◗+②P ❢. point. server. and sorts State of the art Can break DLP in group of order ❵ in ♣ ✙❵❂2 group operations. Use negation map to gain factor ♣ 2 for elliptic curves. Solving DLP on NIST P-256 takes ✙2128 group operations. This is the best algorithm that cryptanalysts have published. But is it the best algorithm that exists? This paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙ and has success probability ✙ “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (rega P-256 ECDL hardness, P-256 ECDHE security, etc.) are false.

State of the art Can break DLP in group of order ❵ in ♣ ✙❵❂2 group operations. Use negation map to gain factor ♣ 2 for elliptic curves. Solving DLP on NIST P-256 takes ✙2128 group operations. This is the best algorithm that cryptanalysts have published. But is it the best algorithm that exists? This paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙285 and has success probability ✙1. “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (regarding P-256 ECDL hardness, P-256 ECDHE security, etc.) are false.

• f the art

reak DLP in group of order ❵ ♣ ✙❵❂2 group operations. negation map to gain ♣ 2 for elliptic curves. Solving DLP on NIST P-256 ✙2128 group operations. the best algorithm that cryptanalysts have published. it the best algorithm exists? This paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙285 and has success probability ✙1. “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (regarding P-256 ECDL hardness, P-256 ECDHE security, etc.) are false. Should P-256 be worried P-256 ECDL ❆ No! We have ❇ that prints ❆ but ❇ tak ✙ We conjecture nobody will ❆

in group of order ❵ ♣ ✙❵❂ group operations. map to gain ♣ elliptic curves. NIST P-256 ✙ group operations. algorithm that have published. est algorithm This paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙285 and has success probability ✙1. “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (regarding P-256 ECDL hardness, P-256 ECDHE security, etc.) are false. Should P-256 ECDHE be worried about this P-256 ECDL algorithm ❆ No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙ We conjecture that nobody will ever p ❆

• f order

❵ ♣ ✙❵❂ erations. ♣ curves. P-256 ✙ erations. that hed. This paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙285 and has success probability ✙1. “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (regarding P-256 ECDL hardness, P-256 ECDHE security, etc.) are false. Should P-256 ECDHE users be worried about this P-256 ECDL algorithm ❆? No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙2170. We conjecture that nobody will ever print out ❆

This paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙285 and has success probability ✙1. “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (regarding P-256 ECDL hardness, P-256 ECDHE security, etc.) are false. Should P-256 ECDHE users be worried about this P-256 ECDL algorithm ❆? No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙2170. We conjecture that nobody will ever print out ❆.

This paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: There exists a P-256 ECDL algorithm that takes “time” ✙285 and has success probability ✙1. “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (regarding P-256 ECDL hardness, P-256 ECDHE security, etc.) are false. Should P-256 ECDHE users be worried about this P-256 ECDL algorithm ❆? No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙2170. We conjecture that nobody will ever print out ❆. But ❆ exists, and the standard conjecture doesn’t see the 2170.

paper’s ECDL algorithms Assuming plausible heuristics,

• verwhelmingly verified by

computer experiment: exists a P-256 ECDL rithm that takes “time” ✙285 has success probability ✙1. “Time” includes algorithm length. Inescapable conclusion: The standard conjectures (regarding ECDL hardness, P-256 ECDHE security, etc.) are false. Should P-256 ECDHE users be worried about this P-256 ECDL algorithm ❆? No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙2170. We conjecture that nobody will ever print out ❆. But ❆ exists, and the standard conjecture doesn’t see the 2170. Cryptanalysts Common a 2170 “p (independent ◗ a 285 “main For cryptanalysts: 2170, much For the standa definitions The main much better

ECDL algorithms plausible heuristics, verified by eriment: P-256 ECDL takes “time” ✙285 probability ✙1. algorithm length. conclusion: The conjectures (regarding rdness, P-256 , etc.) are false. Should P-256 ECDHE users be worried about this P-256 ECDL algorithm ❆? No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙2170. We conjecture that nobody will ever print out ❆. But ❆ exists, and the standard conjecture doesn’t see the 2170. Cryptanalysts do see Common parlance: a 2170 “precomputation” (independent of ◗ a 285 “main computation”. For cryptanalysts: 2170, much worse than For the standard securit definitions and conjectures: The main computation much better than

rithms heuristics, ECDL “time” ✙285 y ✙1. length. The (regarding P-256 false. Should P-256 ECDHE users be worried about this P-256 ECDL algorithm ❆? No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙2170. We conjecture that nobody will ever print out ❆. But ❆ exists, and the standard conjecture doesn’t see the 2170. Cryptanalysts do see the 2170 Common parlance: We have a 2170 “precomputation” (independent of ◗) followed a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs much better than 2128.

Should P-256 ECDHE users be worried about this P-256 ECDL algorithm ❆? No! We have a program ❇ that prints out ❆, but ❇ takes “time” ✙2170. We conjecture that nobody will ever print out ❆. But ❆ exists, and the standard conjecture doesn’t see the 2170. Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128.

P-256 ECDHE users rried about this ECDL algorithm ❆? ve a program ❇ rints out ❆, ❇ takes “time” ✙2170. conjecture that dy will ever print out ❆. ❆ exists, and the standard conjecture doesn’t see the 2170. Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128. Almost standa redefine ❙✐

• n P only;

❙✐ ❝✐P ❝✐ chosen

ECDHE users

• ut this

algorithm ❆? rogram ❇ ❆, ❇ “time” ✙2170. that print out ❆. ❆ and the standard esn’t see the 2170. Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128. Almost standard w redefine steps ❙✐ to

• n P only; i.e., ❙✐

❝✐P ❝✐ chosen uniformly

users ❆ ❇ ❆ ❇ ✙ . ❆. ❆ standard 2170. Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128. Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random.

Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128. Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random.

Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128. Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random. Precomputation: Start some walks at ②P for random choices of ②. Build table of distinct distinguished points ❉ along with logP ❉.

Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128. Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random. Precomputation: Start some walks at ②P for random choices of ②. Build table of distinct distinguished points ❉ along with logP ❉. Main computation: Starting from ◗, walk to distinguished point ◗ + ②P. Check for ◗ + ②P in table.

Cryptanalysts do see the 2170. Common parlance: We have a 2170 “precomputation” (independent of ◗) followed by a 285 “main computation”. For cryptanalysts: This costs 2170, much worse than 2128. For the standard security definitions and conjectures: The main computation costs 285, much better than 2128. Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random. Precomputation: Start some walks at ②P for random choices of ②. Build table of distinct distinguished points ❉ along with logP ❉. Main computation: Starting from ◗, walk to distinguished point ◗ + ②P. Check for ◗ + ②P in table. (If this fails, rerandomize ◗.)

Cryptanalysts do see the 2170. Common parlance: We have “precomputation” endent of ◗) followed by “main computation”. cryptanalysts: This costs much worse than 2128. the standard security definitions and conjectures: main computation costs 285, better than 2128. Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random. Precomputation: Start some walks at ②P for random choices of ②. Build table of distinct distinguished points ❉ along with logP ❉. Main computation: Starting from ◗, walk to distinguished point ◗ + ②P. Check for ◗ + ②P in table. (If this fails, rerandomize ◗.) What you P-256 isn’t There exist AES-128, at cost b e.g., time (Assuming ✮ Very between and actual Also: Analysis for fixing eprint.iacr.org/2012/318

see the 2170. nce: We have recomputation” ◗) followed by computation”. cryptanalysts: This costs rse than 2128. security conjectures: computation costs 285, an 2128. Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random. Precomputation: Start some walks at ②P for random choices of ②. Build table of distinct distinguished points ❉ along with logP ❉. Main computation: Starting from ◗, walk to distinguished point ◗ + ②P. Check for ◗ + ②P in table. (If this fails, rerandomize ◗.) What you find in the P-256 isn’t the only There exist algorithms AES-128, RSA-3072, at cost below 2128 e.g., time 285 to b (Assuming standard ✮ Very large sepa between standard definition and actual security Also: Analysis of va for fixing the definitions. eprint.iacr.org/2012/318

170.

have ◗ ed by computation”. costs

128.

conjectures: costs 285, Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random. Precomputation: Start some walks at ②P for random choices of ②. Build table of distinct distinguished points ❉ along with logP ❉. Main computation: Starting from ◗, walk to distinguished point ◗ + ②P. Check for ◗ + ②P in table. (If this fails, rerandomize ◗.) What you find in the full pap P-256 isn’t the only problem! There exist algorithms breaking AES-128, RSA-3072, DSA-3072 at cost below 2128; e.g., time 285 to break AES. (Assuming standard heuristics.) ✮ Very large separation between standard definition and actual security. Also: Analysis of various ideas for fixing the definitions. eprint.iacr.org/2012/318

Almost standard walk function: redefine steps ❙✐ to depend

• n P only; i.e., ❙✐ = ❝✐P with

❝✐ chosen uniformly at random. Precomputation: Start some walks at ②P for random choices of ②. Build table of distinct distinguished points ❉ along with logP ❉. Main computation: Starting from ◗, walk to distinguished point ◗ + ②P. Check for ◗ + ②P in table. (If this fails, rerandomize ◗.) What you find in the full paper: P-256 isn’t the only problem! There exist algorithms breaking AES-128, RSA-3072, DSA-3072 at cost below 2128; e.g., time 285 to break AES. (Assuming standard heuristics.) ✮ Very large separation between standard definition and actual security. Also: Analysis of various ideas for fixing the definitions. eprint.iacr.org/2012/318