Abstract
AES-128, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols are frequently conjectured to provide a security level of 2128. Extensive cryptanalysis of these primitives appears to have stabilized sufficiently to support such conjectures.
In the literature on provable concrete security it is standard to define 2b security as the nonexistence of high-probability attack algorithms taking time ≤ 2b. However, this paper provides overwhelming evidence for the existence of high-probability attack algorithms against AES-128, NIST P-256, DSA-3072, and RSA-3072 taking time considerably below 2128, contradicting the standard security conjectures.
These attack algorithms are not realistic; do not indicate any actual security problem; do not indicate any risk to cryptographic users; and do not indicate any failure in previous cryptanalysis. Any actual use of these attack algorithms would be much more expensive than the conventional 2128 attack algorithms. However, this expense is not visible to the standard definitions of security. Consequently the standard definitions of security fail to accurately model actual security.
The underlying problem is that the standard set of algorithms, namely the set of algorithms taking time ≤ 2b, fails to accurately model the set of algorithms that an attacker can carry out. This paper analyzes this failure in detail, and analyzes several ideas for fixing the security definitions.
Chapter PDF
Similar content being viewed by others
Keywords
References
Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Crypto 2006 [40], pp. 602–619 (2006) Cited in §1, §1.1, §1.3, §2.6
Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Crypto 1994 [38], pp. 341–358 (1994); see also newer version [12]. Cited in §1.2
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61, 362–399 (2000); see also older version [11]. Cited in §1, §1, §1, §1.2, §1.2, §1.2
Bellare, M., Rogaway, P.: Optimal asymmetric encryption|how to encrypt with RSA. In: Eurocrypt 1994 [37], pp. 92–111 (1995) Cited in §1
Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: Eurocrypt 1996 [64], pp. 399–416 (1996) Cited in §1, §1.1
Bellare, M., Rogaway, P.: Introduction to modern cryptography (2005), http://cseweb.ucsd.edu/~mihir/cse207/classnotes.html . Cited in §1, §1.1, §2.6
Bernstein, D.J.: Circuits for integer factorization: a proposal (2001), http://cr.yp.to/papers.html#nfscircuit . Cited in §5.4
Bernstein, D.J.: How to find smooth parts of integers (2004), http://cr.yp.to/papers.html#smoothparts . Cited in §5.1
Bernstein, D.J.: Scaled remainder trees (2004), http://cr.yp.to/papers.html#scaledmod . Cited in §5.3
Bernstein, D.J., Lange, T.: Computing small discrete logarithms faster. In: Indocrypt 2012 [41], pp. 317–338 (2012) Cited in §3.2, §3.4
Biham, E., Goren, Y.J., Ishai, Y.: Basing weak public-key cryptography on strong one-way functions. In: TCC 2008 [31], pp. 55–72 (2008) Cited in §2.6
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Asiacrypt 2000 [70], pp. 1–13 (2000) Cited in §2.6
Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Asiacrypt 2011 [60], pp. 344–371 (2011) Cited in §1
Brent, R.P., Kung, H.T.: The area-time complexity of binary multiplication. Journal of the ACM 28, 521–534 (1981) Cited in §1.2
Buhler, J.P., Lenstra Jr., H.W., Pomerance, C.: Factoring integers with the number field sieve. In: [63], pp. 50–94 (1993) Cited in §5.1, §5.1, §5.1, §5.4
Canetti, R. (ed.): TCC 2008. LNCS, vol. 4948. Springer (2008). See [23]
Commeine, A., Semaev, I.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: PKC 2006 [91], pp. 174–190 (2006) Cited in §4.2
Coppersmith, D.: Modifications to the number field sieve. Journal of Cryptology 6, 169–180 (1993) Cited in §5.4, §5.4
De, A., Trevisan, L., Tulsiani, M.: Non-uniform attacks against one-way functions and PRGs. Electronic Colloquium on Computational Complexity 113 (2009); see also newer version [36]
De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against oneway functions and PRGs. In: Crypto 2010 [75], pp. 649–665 (2010); see also older version [35]. Cited in §2.6, §2.6
De Santis, A. (ed.): Eurocrypt 1994. LNCS, vol. 950. Springer (1995). See [14]
Desmedt, Y. (ed.): Crypto 1994. LNCS, vol. 839. Springer (1994). See [11]
Dodis, Y., Steinberger, J.: Message authentication codes from unpredictable block ciphers. In: Crypto 2009 [44], pp. 267–285 (2009) Cited in §2.6
Dwork, C. (ed.): Crypto 2006. LNCS, vol. 4117. Springer (2006). See [7]
Galbraith, S., Nandi, M. (eds.): Indocrypt 2012. LNCS, vol. 7668. Springer (2012). See [22]
Halevi, S. (ed.): Crypto 2009. LNCS, vol. 5677. Springer (2009). See [39]
Hellman, M.E.: A cryptanalytic time-memory tradeoff. IEEE Transactions on Information Theory 26, 401–406 (1980) Cited in §2.6
Hitchcock, Y., Montague, P., Carter, G., Dawson, E.: The efficiency of solving multiple discrete logarithm problems and the implications for the security of fixed elliptic curves. International Journal of Information Security 3, 86–98 (2004) Cited in §3.4
Hong, J., Sarkar, P.: New applications of time memory data tradeoffs. In: Asiacrypt 2005 [78], pp. 353–372 (2005) Cited in §2.6
Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Mathematics of Computation 72, 953–967 (2003) Cited in §4.2
Katz, J., Lindell, Y.: Introduction to modern cryptography: principles and protocols. Chapman & Hall/CRC (2007) Cited in §1
Koblitz, N., Menezes, A.: Another look at HMAC (2012), http://eprint.iacr.org/2012/074 . Cited in §1.2, §1.3, §1.3, §1.3, §2.6
Koblitz, N., Menezes, A.: Another look at non-uniformity (2012), http://eprint.iacr.org/2012/359 . Cited in §1.2, §1.3, §1.3
Kuhn, F., Struik, R.: Random walks revisited: extensions of Pollard’s rho algorithm for computing multiple discrete logarithms. In: SAC 2001 [89], pp. 212–229 (2001) Cited in §3.4
Lee, D.H., Wang, X. (eds.): Asiacrypt 2011. LNCS, vol. 7073. Springer (2011). See [27]
Lee, H.T., Cheon, J.H., Hong, J.: Accelerating ID-based encryption based on trapdoor DL using pre-computation, 11 January 2012 (2012), http://eprint.iacr.org/2011/187 . Cited in §3.4
Lenstra, A.K., Lenstra Jr., H.W. (eds.): The development of the number field sieve. LNM, vol. 1554. Springer (1993). See [30]
Maurer, U.M. (ed.): Eurocrypt 1996. LNCS, vol. 1070. Springer (1996). See [15]
NIST: Announcing request for candidate algorithm nominations for the Advanced Encryption Standard (AES) (1997), http://www.gpo.gov/fdsys/pkg/FR-1997-09-12/pdf/97-24214.pdf . Cited in §1
NIST: Digital signature standard, Federal Information Processing Standards Publication 186-2 (2000), http://csrc.nist.gov . Cited in §3
Okamoto, T. (ed.): Asiacrypt 2000. LNCS, vol. 1976. Springer (2000). See [25]
van Oorschot, P.C., Wiener, M.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12, 1–28 (1999) Cited in §3.1
Pollard, J.M.: Monte Carlo methods for index computation mod p. Mathematics of Computation 32, 918–924 (1978) Cited in §3.1
Rabin, T. (ed.): Crypto 2010. LNCS, vol. 6223. Springer (2010). See [36]
Roy, B. (ed.): Asiacrypt 2005. LNCS, vol. 3788. Springer (2005). See [49]
Schönhage, A.: Storage modification machines. SIAM Journal on Computing 9, 490–508 (1980) Cited in §5.3
Teske, E.: On random walks for Pollard’s rho method. Mathematics of Computation 70, 809–825 (2001) Cited in §3.1
Vaudenay, S., Youssef, A.M. (eds.): SAC 2001. LNCS, vol. 2259. Springer (2001). See [58]
Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.): PKC 2006. LNCS, vol. 3958. Springer (2006). See [32]
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bernstein, D.J., Lange, T. (2013). Non-uniform Cracks in the Concrete: The Power of Free Precomputation. In: Sako, K., Sarkar, P. (eds) Advances in Cryptology - ASIACRYPT 2013. ASIACRYPT 2013. Lecture Notes in Computer Science, vol 8270. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42045-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-42045-0_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-42044-3
Online ISBN: 978-3-642-42045-0
eBook Packages: Computer ScienceComputer Science (R0)