Security Level. A secret is said to have security level 2k over a finite field F if the best-known attack for obtaining the secret involves running an algorithm that requires at least 2k elementary operations (addition, subtraction, multiplication, division) in the finite field F. We assume that Ironwood is running on the braid group BN over the finite field Fq. Note that there are qN polynomials of degree N − 1 over Fq. So a brute force search for a particular polynomial of degree N − 1 over Fq has security level qN . • The brute force security level of the matrix Ci is qN . • The brute force security levels of the matrices C, Cj are qN . The T -values is a set of field elements {τ1, τ2, . . . , τN } where none of the τi = 0 or 1. • The brute force security level of the T -values is (q − 2)N . Note that the size of the public keys Pubi of the devices Di is N 2 · log2(q) + N log2(N ) and the size of the public key of the HD is (N 2 + N ) · log2(q). We can thus assert • The brute force security level of the exchanged key is 2N log2(q) = qN . • The brute force security level of either of the private braids β, βj is SL > (2r)L where L is the length of the braid as a word in the conjugates assigned to the HD, and hence we have the lower bound SL > min((2r)L, (q − 2)N ). An active attacker who attempts to run a weak-key attack can force a reduction in security level. Specifically, we would expect the search-space of sj to be qX where X is the number of non-zero entres in the s vector sent by the HD to Di, or more accurately, the number of non-zero entries required by Di. An attacker who sends an s vector with just under half of the entries 0 would reduce the security level by half. Therefore, to properly defeat this kind of attack requires choices for N and q such that qN 22SL, or more accurately, qX 2SL where X < N . A passive eavesdropper only gains access to the public keys and s-column. That does not provide enough information to reproduce the shared secret. In that E-Multiplication is conjectured to be a one-way function, knowledge of (CiMi, σi) does not enable an attacker to learn Ci, which would be required to compute the shared secret as Di. Similarly, knowledge of (CjMjM−1C−1) does not provide enough information to deduce C, Cj, β, or βj. This prevents computing the shared secret as the HD using Di’s public key. If an attacker breaks into one Di device and reads out its key material, they cannot use that against another device Dj (i = j). Each device’s matrices are independently generated, so knowledge of one provides no information about any other device keys. It has become standard in the art to give security proofs for both asymmetric key exchange protocols and digital signatures. The structure of such proofs do not lend themselves to the Ironwood protocol (or any other MKAAP), and as of this writing no other security proof which would has been introduced to the field.
Appears in 1 contract
Security Level. A secret is said to have security level 2k over a finite field F if the best-known attack for obtaining the secret involves running an algorithm that requires at least 2k elementary operations (addition, subtraction, multiplication, division) in the finite field F. We assume that Ironwood ▇▇▇▇▇▇▇▇ is running on the braid group BN over the finite field Fq. Note that there are qN polynomials of degree N − 1 over Fq. So a brute force search for a particular polynomial of degree N − 1 over Fq has security level qN . • The brute force security level of the matrix Ci is qN . • The brute force security levels of the matrices C, Cj are qN . The T -values is a set of field elements {τ1, τ2, . . . , τN } where none of the τi = 0 or 1. • The brute force security level of the T -values is (q − 2)N . Note that the size of the public keys Pubi of the devices Di is N 2 · log2(q) + N log2(N ) and the size of the public key of the HD is (N 2 + N ) · log2(q). We can thus assert • The brute force security level of the exchanged key is 2N log2(q) = qN . • The brute force security level of either of the private braids β, βj is SL > (2r)L where L is the length of the braid as a word in the conjugates assigned to the HD, and hence we have the lower bound SL > min((2r)L, (q − 2)N ). An active attacker who attempts to run a weak-key attack can force a reduction in security level. Specifically, we would expect the search-space of sj to be qX where X is the number of non-zero entres in the s vector sent by the HD to Di, or more accurately, the number of non-zero entries required by Di. An attacker who sends an s vector with just under half of the entries 0 would reduce the security level by half. Therefore, to properly defeat this kind of attack requires choices for N and q such that qN 22SL, or more accurately, qX 2SL where X < N . A passive eavesdropper only gains access to the public keys and s-column. That does not provide enough information to reproduce the shared secret. In that E-Multiplication is conjectured to be a one-way function, knowledge of (CiMi, σi) does not enable an attacker to learn Ci, which would be required to compute the shared secret as Di. Similarly, knowledge of (CjMjM−1C−1) does not provide enough information to deduce C, Cj, β, or βj. This prevents computing the shared secret as the HD using Di’s public key. If an attacker breaks into one Di device and reads out its key material, they cannot use that against another device Dj (i = j). Each device’s matrices are independently generated, so knowledge of one provides no information about any other device keys. It has become standard in the art to give security proofs for both asymmetric key exchange protocols and digital signatures. The structure of such proofs do not lend themselves to the Ironwood protocol (or any other MKAAP), and as of this writing no other security proof which would has been introduced to the field.
Appears in 1 contract