it's out https://eprint.iacr.org/2019/1492
will present it at @RealWorldCrypto
the paper I'm the proudest of
thanks to @sevenpspic.twitter.com/sfJJytvdSj
Za najbolje sučelje na Twitteru koristite Microsoft Edge ili instalirajte aplikaciju Twitter iz trgovine Microsoft Store.
CS, Cryptography, Cryptanalysis, Privacy, Biometrics, Computer Security. (personal account at @mkilmo)
U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
Dodajte ovaj Tweet na svoje web-mjesto kopiranjem koda u nastavku. Saznajte više
Dodajte ovaj videozapis na svoje web-mjesto kopiranjem koda u nastavku. Saznajte više
Integracijom Twitterova sadržaja u svoje web-mjesto ili aplikaciju prihvaćate Twitterov Ugovor za programere i Pravila za programere.
| Država | Kod | Samo za korisnike |
|---|---|---|
| Sjedinjene Američke Države | 40404 | (bilo koje) |
| Kanada | 21212 | (bilo koje) |
| Ujedinjeno Kraljevstvo | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Irska | 51210 | Vodafone, O2 |
| Indija | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonezija | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italija | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » Pogledajte SMS kratke šifre za druge zemlje | ||
Vremenska crta mjesto je na kojem ćete provesti najviše vremena i bez odgode dobivati novosti o svemu što vam je važno.
Prijeđite pokazivačem preko slike profila pa kliknite gumb Pratim da biste prestali pratiti neki račun.
Kada vidite Tweet koji volite, dodirnite srce – to osobi koja ga je napisala daje do znanja da vam se sviđa.
Najbolji je način da podijelite nečiji Tweet s osobama koje vas prate prosljeđivanje. Dodirnite ikonu da biste smjesta poslali.
Pomoću odgovora dodajte sve što mislite o nekom tweetu. Pronađite temu koja vam je važna i uključite se.
Bez odgode pogledajte o čemu ljudi razgovaraju.
Pratite više računa da biste dobivali novosti o temama do kojih vam je stalo.
Bez odgode pogledajte najnovije razgovore o bilo kojoj temi.
Bez odgode pratite kako se razvijaju događaji koje pratite.
it's out https://eprint.iacr.org/2019/1492
will present it at @RealWorldCrypto
the paper I'm the proudest of
thanks to @sevenpspic.twitter.com/sfJJytvdSj
1/ I will start with a small complaint - we have a 5-round attack on AES with time/data complexity of only 2^16 (see eprint 2019/1154).
2/ your main argument seems to be "we are very conservative w.r.t. number of rounds because of practical vs. impractical attacks." You even mention one common criticism of the time as complexity (rather than Area*Time, or any other metric). To be honest, you are right, as you
3/ know, the only metric is $/days (how much $'s are needed to get the key in a day). However, estimating it for attacks (and this is before the discussion of values you store and access once in a sequential manner vs. accessing randomly many items), is very complicated.
4/ So we settle with approximation (time, or max(data,time,memory)) and "internally" (or in the jargon, or in the publications) we always know that (and many times publicly admit that). This is just to save us all the time to find a system's engineer for each such paper.
5/ that being said, attacks do get better. In some cases very much better (KASUMI was supposed to offer 128-bit security, in some "weaker model" it offers only 32-bit security). MD5 collisions started as "weird model" (chosen IVs), became collisions in 2^39, then ... today - 2^16
6/ This proves that you can never tell in advance how many "extra" rounds you'll need, and the risk may become practical. Because of differential/linear cryptanalysis. Because of some new idea (multi-block, and message modificiation and ...).
7/ Decision making under uncertainty is actually a well known scientific (and engineering) problem. The only way to know which of the ciphers from the AES competition would survive so far was to run it. 7 out of the 15 candidates didn't make it.
8/ We can even go back to the eSTREAM competition. After a lengthy period of time 8 ciphers were selected (one of the finalists was broken by Nathan and me just a few weeks before the selection, so it was not selected). A bit after that, one of the portfolio's schemes was broken.
9/ Consider even trivium (really cool lightweight stream cipher). The number of rounds of initialization to be attacked is ever increasing. Now, it is still secure, but the security margins are very different than they're used to (IIRC from 50% to 20%).
10/ to conclude - it seems that writing the opposite text with all the examples which were found 10-, 20- or even 30-year later as broken would suggest the opposite conclusion than yours. (and there are many of these)
Thanks for these thoughts! As you probably figured, the core point I’m making is that for these algorithms we have enough assurance/paper/results, and confidence that attacks won’t get meaningfully better
The exceptions you and others cite are not even exceptions, for the amount of cryptanalysis and maturity there of was t event close to that on AES or ChaCha or Keccak; remember that SHA3’s core is about as old as AES
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.