[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)
David Leon Gil
coruus at gmail.com
Wed Jul 23 19:46:00 PDT 2014
> If the system uses RSA, the cheapest approach is usually to vary the public exponent.
Actually done that. (64-bit OpenPGP key collisions, see https://github.com/cooperpair). But fingerprints that include the RSA exponent are a design mistake. (It isn't a part of the 'hard problem'; and > 99% of normal users' keys use the top three exponents, IIRC.)[*]
And thanks for the exceedingly helpful suggestions on EC keys; I may play around with figuring out a more precise cost estimate
Joseph: Attacker's hardware is much more parallel than users' hardware... See, e.g., djb's current microcluster[**]: http://blog.cr.yp.to/20140602-saber.html
(Background on the zero-prefix cost issue: Experimentally verified when I was looking at OpenPGP key collisions. Did a slightly larger plain collision search than is reflected by results in my repo; selecting targets with a zero byte needed to hide memory latency on target architecture. At some point I'll clean up the source...)
[*] Adam Langley has pointed out that protocols which allow arbitrary exponents are subject to DoS attacks. https://www.imperialviolet.org/2012/03/17/rsados.html So perhaps not requiring e fixed was the design mistake.
[**] Why can't cryptographers get funding for real clusters? I know plenty of physicists with as much compute power in their office. And cluster-builders who have wasted more real cluster time running Linpack than, well...alas.
Sent using alpine: an Alternatively Licensed Program for Internet News and Email
On Wed, Jul 23, 2014 at 11:56 AM, Robert Ransom<rransom.8774 at gmail.com>, wrote:
On 7/23/14, David Leon Gil <coruus at gmail.com> wrote:
> (I suspect perhaps Joseph was thinking about prime-based-crypto in his
> comment. Or is there a good way of cheaply generating (strong) RSA keys? The
> obvious approach is to just pick two strong primes and then just multiply
> by, say, all primes less than 2^w, where w is the word length, which is a
> factor of N/w cheaper for schoolbook, at least.)
I would reserve the term “prime-based crypto” for
discrete-logarithm-based cryptosystems in prime-field multiplicative
groups. You seem to be talking about factorization-based
If the system uses RSA, the cheapest approach is usually to vary the
public exponent. (This search can be performed on untrusted hardware,
e.g. botnet nodes, so it poses a greater threat than one that exposes
the secret key to the device which finds the winning public key. All
reasonable discrete-logarithm public key search procedures can also
use untrusted hardware.)
If the system uses RSA with a fixed public exponent, what you describe
may work if no one tries to actively detect and prevent that attack.
(This search can also be performed on untrusted hardware.)
If the system uses RSA with a fixed public exponent and you must
ensure that no prime factor of the modulus is ever found, the cheapest
approach is to generate a bunch of secret primes and multiply together
each pair of distinct primes. (This search requires trusted
> In general, the speedup of just doing adds or doubles is very roughly the
> bit length of the EC key, right? (I have a factor of 515 for
> Ed448-Goldilocks based on benchmarks, which seems in accord with my
For Ed448-Goldilocks, I'm not sure. The earlier versions used Mike
Hamburg's 1/sqrt(u) point format (where u is the Montgomery-form x
coordinate), and I don't think that can be batch-scaled.
For ECC with the more common point formats, at the very least, you can
batch the inversions together using ‘Montgomery's trick’ (on a serial
or mostly-serial computer), at least until your working storage
reaches the processor's cache size. On top of that speedup,
short-Weierstrass batched affine addition uses a batched inversion
within the formula, and is considerably faster than projective
addition followed by scaling.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging