Add to ORKGThis paper makes the case for considering the cost of cryptographic attacks as the main measure of their efficiency, instead of their time complexity. This allows, in our opinion, a more realistic assessment of the "risk" these attacks represent. This is half-and-half a position and a technical paper. Cryptographic attacks described in the literature are rarely implemented. Most exist only "on paper", and their main characteristic is that their estimated time complexity is small enough to break a given security property. However, when a cryptanalyst actually considers implementing an attack, she soon realizes that there is more to the story than time complexity. For instance, Wiener has shown that breaking the double-DES costs 2 6n/5 , asym...
We introduce a formal quantitative notion of ``bit security\u27\u27 for a general type of cryptograp...
In this paper we show that a large class of diverse problems have a bicomposite structure which make...
AES-128, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols are f...
This paper discusses the implications of choosing a computational model to study the cost of crypto...
The research in complexity theory, for a long time now, has been conscious of memory as a resource i...
AbstractNew definitions are proposed for the security of Transient-Key Cryptography (a variant on Pu...
In my talk I did overwiev the area of algebraic attacks on block ciphers, explain what fast algebrai...
Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions to s...
In this paper we give a specification of a new block cipher that can be called the Courtois Toy Ciph...
peer reviewedWe explore time-memory and other tradeoffs for memory-hard functions, which are suppose...
In 1980, Martin Hellman [1] introduced the concept of cryptanalytic time-memory tradeoffs, which all...
There are two major families in cryptanalytic attacks on symmetric ciphers: statistical attacks and ...
Abstract. Previously, the author has developed a framework within which to quantify and compare the ...
International audienceWe address the problem of speeding up group computations in cryptography using...
AbstractIn this paper, the authors give the definitions of a coprime sequence and a lever function, ...
We introduce a formal quantitative notion of ``bit security\u27\u27 for a general type of cryptograp...
In this paper we show that a large class of diverse problems have a bicomposite structure which make...
AES-128, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols are f...
This paper discusses the implications of choosing a computational model to study the cost of crypto...
The research in complexity theory, for a long time now, has been conscious of memory as a resource i...
AbstractNew definitions are proposed for the security of Transient-Key Cryptography (a variant on Pu...
In my talk I did overwiev the area of algebraic attacks on block ciphers, explain what fast algebrai...
Many searching problems allow time-memory tradeoffs. That is, if there are K possible solutions to s...
In this paper we give a specification of a new block cipher that can be called the Courtois Toy Ciph...
peer reviewedWe explore time-memory and other tradeoffs for memory-hard functions, which are suppose...
In 1980, Martin Hellman [1] introduced the concept of cryptanalytic time-memory tradeoffs, which all...
There are two major families in cryptanalytic attacks on symmetric ciphers: statistical attacks and ...
Abstract. Previously, the author has developed a framework within which to quantify and compare the ...
International audienceWe address the problem of speeding up group computations in cryptography using...
AbstractIn this paper, the authors give the definitions of a coprime sequence and a lever function, ...
We introduce a formal quantitative notion of ``bit security\u27\u27 for a general type of cryptograp...
In this paper we show that a large class of diverse problems have a bicomposite structure which make...
AES-128, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols are f...