
Break a dozen secret keys, get a million more for free - tptacek
http://blog.cr.yp.to/20151120-batchattacks.html
======
tedunangst
What are the preconditions for the AES batch attack? 2^40 users encrypting the
same message? Similar message? Any message?

~~~
zeveb
> 2^40 users encrypting the same message?

How about probably the single-most-encrypted block in history: 'GET
[http://www.g'](http://www.g')?

~~~
amalcon
It would actually be something like:

    
    
      GET / HTTP/1.1
      ?
    

where the ? is the first letter of the most common first request header. A bit
less reliable for a given target (due to needing to guess the header), but a
bit more effective in general (due to not actually caring about the domain).

~~~
klodolph
The ? is the 17th byte, unnecessary.

~~~
amalcon
You're right, I forgot that the HTTP spec calls for Windows line endings. That
means the header doesn't even matter.

------
yuhong
"Real-world clients often support non-elliptic "DHE" along with, or instead
of, elliptic "ECDHE". It would be interesting to trace the reasons for this:
for example, were people worried about ECC patents?"

DHE was in the original SSLv3 spec, but not commonly used before NSS added
support for DHE_RSA in the early 2000s I think. ECDHE did not come until much
later.

------
MichaelGG
What are the incentives for the authors of the linked papers? Why would they
round up an old, incorrect, estimate of RSA factoring? Is this just engineers
engaging in "optimization" and trying to edge out more performance?

