Cryptology ePrint Archive: Report 2012/318

Non-uniform cracks in the concrete: the power of free precomputation

Daniel J. Bernstein and Tanja Lange

Abstract: There is a flaw in the standard security definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security level of 2128 to AES, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower security level to each of these primitives and protocols. This flaw undermines security evaluations and comparisons throughout the literature. This paper analyzes the magnitude of the flaw in detail, showing how it varies across cryptosystems and across cost metrics, and analyzes several strategies for fixing the definitions.

Category / Keywords: foundations / provable security, concrete security, non-uniform algorithms, algorithm cost metrics

Date: received 4 Jun 2012, last revised 6 Mar 2013

Contact author: tanja at hyperelliptic org

Available format(s): PDF | BibTeX Citation

Note: Revised intro, added FAQ.

Version: 20130306:091534 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]