� � � Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a “strong” elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit crypto: Broken. 1024-bit crypto: Shaky. “Size does matter!” 2 255 19 must be, um, 256 bits. Fantastic! Best possible security level.
� � � � enough? What marketing says What NSA says keys 56-bit crypto: Broken. NSA approves products elliptic curve 128-bit crypto: Okay. “classified or mission (2 255 19). 256-bit crypto: High security! national security info 512-bit crypto: Broken. NSA wants “elliptic 1024-bit crypto: Shaky. matter!” GF( ), where is 2 255 greater than 2 255 .” 19 must be, um, 256 bits. Fantastic! So 2 255 + 95 is fine Best possible security level. for national securit but 2 255 19 is not.
� � What marketing says What NSA says 56-bit crypto: Broken. NSA approves products for 128-bit crypto: Okay. “classified or mission critical 256-bit crypto: High security! national security information.” 512-bit crypto: Broken. NSA wants “elliptic curves over 1024-bit crypto: Shaky. GF( ), where is a prime number 2 255 greater than 2 255 .” 19 must be, um, 256 bits. Fantastic! So 2 255 + 95 is fine Best possible security level. for national security information but 2 255 19 is not.
� � says What NSA says What NIST says Broken. NSA approves products for 128-bit AES keys “co Okay. “classified or mission critical ECC primes with “256-383” High security! national security information.” the amount of work Broken. “break the algorithms” NSA wants “elliptic curves over Shaky. is approximately the GF( ), where is a prime number namely 2 128 operations, greater than 2 255 .” be, um, 256 bits. by best techniques So 2 255 + 95 is fine security level. for national security information but 2 255 19 is not.
� What NSA says What NIST says NSA approves products for 128-bit AES keys “correspond” to “classified or mission critical ECC primes with “256-383” bits: national security information.” the amount of work needed to “break the algorithms” NSA wants “elliptic curves over is approximately the same, GF( ), where is a prime number namely 2 128 operations, greater than 2 255 .” by best techniques known. So 2 255 + 95 is fine for national security information but 2 255 19 is not.
� ✁ ✂ ✂ ✂ ✁ ✁ � What NIST says What I say roducts for 128-bit AES keys “correspond” to Given ( ) = AES 2 127 AES mission critical ECC primes with “256-383” bits: using information.” the amount of work needed to Given ( 1 ) ( 2 “break the algorithms” “elliptic curves over find all ✄ using a is approximately the same, is a prime number AES evaluations. namely 2 128 operations, .” Or find some ✄ using by best techniques known. fine evaluations. security information Standard algorithms not. negligible communication perfect parallelization: cr.yp.to/papers.html #bruteforce
✁ ✁ ✁ ✂ ✂ ✂ What NIST says What I say � (0), find 128-bit AES keys “correspond” to Given ( ) = AES 2 127 AES evaluations. ECC primes with “256-383” bits: using the amount of work needed to Given ( 1 ) ( 2 ) ( 2 40 ), “break the algorithms” 2 127 find all ✄ using a total of is approximately the same, AES evaluations. namely 2 128 operations, 2 87 AES Or find some ✄ using by best techniques known. evaluations. Standard algorithms have negligible communication and perfect parallelization: see, e.g., cr.yp.to/papers.html #bruteforce
✁ ✁ ✂ ✂ ✂ ✁ What I say Given public key on 255-bit elliptic curve � (0), find eys “correspond” to Given ( ) = AES find secret key 2 127 AES evaluations. “256-383” bits: using 2 127 additions using ork needed to Given ( 1 ) ( 2 ) ( 2 40 ), Given 2 40 public keys, rithms” 2 127 find all ✄ using a total of the same, find all secret keys AES evaluations. 2 147 additions erations, using 2 87 AES Or find some ✄ using techniques known. Finding some key is evaluations. as finding first key: 2 127 additions. Easily Standard algorithms have negligible communication and by random self-reduction. perfect parallelization: see, e.g., See, e.g., Kuhn and cr.yp.to/papers.html #bruteforce
✁ ✁ ✂ ✂ ✂ ✁ What I say Given public key on 255-bit elliptic curve , � (0), find Given ( ) = AES find secret key 2 127 AES evaluations. using 2 127 additions on using . Given ( 1 ) ( 2 ) ( 2 40 ), Given 2 40 public keys, 2 127 find all ✄ using a total of find all secret keys AES evaluations. 2 147 additions on using . 2 87 AES Or find some ✄ using Finding some key is as hard evaluations. as finding first key: 2 127 additions. Easily prove Standard algorithms have negligible communication and by random self-reduction. perfect parallelization: see, e.g., See, e.g., Kuhn and Struik, 2001. cr.yp.to/papers.html #bruteforce
✁ ✄ ✁ � ✁ ✂ ✂ ✂ Given public key on Even worse for AES: 255-bit elliptic curve , can try much less computation. � (0), find AES find secret key Success chance drops AES evaluations. 2 127 additions on using . For elliptic curves, 2 ) ( 2 40 ), Given 2 40 public keys, drops quadratically 2 127 a total of find all secret keys evaluations. Bottom line: 128-bit 2 147 additions on using . not comparable in 2 87 AES ✄ using Finding some key is as hard to 255-bit elliptic-curve as finding first key: Is 2 255 19 big enough? 2 127 additions. Easily prove rithms have Is 128-bit AES safe? communication and by random self-reduction. rallelization: see, e.g., See, e.g., Kuhn and Struik, 2001. cr.yp.to/papers.html
� Given public key on Even worse for AES: Attacker 255-bit elliptic curve , can try much less computation. find secret key Success chance drops linearly. 2 127 additions on using . For elliptic curves, success chance Given 2 40 public keys, drops quadratically. find all secret keys Bottom line: 128-bit AES keys are 2 147 additions on using . not comparable in security Finding some key is as hard to 255-bit elliptic-curve keys. as finding first key: Is 2 255 19 big enough? Yes. 2 127 additions. Easily prove Is 128-bit AES safe? Unclear. by random self-reduction. See, e.g., Kuhn and Struik, 2001.
Recommend
More recommend
