Our videos have over 5 million views on Youtube! Visit our channel now »
The listings featured on this site are from companies from which this site receives compensation. Read the Advertising Disclosure for more information
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers, and are based on the reviewers' independent and professional examination of the products/services.


vpnMentor is owned by Kape Technologies PLC, which owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that were written by our experts and follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will be based on an independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, which will however not affect the review but might affect the rankings. The latter are determined on the basis of customer satisfaction of previous sales and compensation received.

Reviews Guidelines

The reviews published on vpnMentor are written by experts that examine the products according to our strict reviewing standards. Such standards ensure that each review is based on the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may take into consideration the affiliate commissions we earn for purchases through links on our website.

Interview with Michael Walter at EuroCrypt 2018 on the Topic of Bit Security

Michael Walter is currently working on his post doctoral research at the Institute of Science and Technology (IST) in Austria. I caught up with him at the EuroCrypt 2018 conference in Tel Aviv, where he gave a talk titled – On the Bit Security of Cryptographic Primitives.

Michael Walter - EuroCrypt 2018

Bit Security has received a lot of criticism lately – can you explain why that is?

So, there are a few different issues here. One is there are loss of precisions that you have versus the concrete security approach where you can take a more detailed look at the resources and advantages, and you take these numbers and bit security compresses them into one. There you will lose something; this is a simplification, and a valid one in my opinion in many cases, but certainly not in all.

Another point is the work by Bernstein and Lange which pointed to issues that dealt with non-uniformity of adversary's, so these are adversary's where we know they exist but we're not sure how to find them. (So, for example, we don’t know how to program these).

What is the focus of your research?

In this work we look at a different aspect essentially. As I said Bernstein and Lange have proposed several counter measures that one can do, but they didn't look at the advantage functions, this quantity that most people think of as the distinguishing advantage. We think that if you quantify security in terms of bit security, what you should be looking at is the quantity alpha times delta squared (that correspond to the adversaries output probability (alpha) and conditional distinguishing advantage squared (delta^2)).

Your research is redefining the decision problems?

Not the problems itself, but how you would measure the security of decision primitives.

What are the real-life implications based on your work, if any?

So, that is kind of an interesting question. When talking about real life applications, you usually look at things that have a constant advantage. For example, I have an adversary that with probability ½ will break the scheme or probability ½ is able to distinguish something.

There, it doesn’t really matter that much if you look at the distinguishing advantage or distinguishing advantage². Because if you have a success probability or a distinguishing advantage of maybe ¾, which is very large, then its square will be 9/16, which is still large – and in that sense, if you're talking about real world adversaries that go ahead and break something it won't make much a difference. It's more to get a cleaner way of reducing between primitives.

But also, potentially, there are implications for example, approximate sampling for lattice based cryptography, where this does have real world impact as far as how much precision you'll need in order to prove that your scheme is still secure. So it does have some implications.

But not for your average person

Not really, but that’s really a good a thing – Bit security has been around for a while and people have an intuition about it, which isn't necessarily wrong. The nice thing about bit security is if I tell you something has 100 bits of security you'll be like, oh that’s pretty secure. But if I tell you something has only 50 bits of security you'll probably stay clear of it. And I don’t want to change that at all, I think it's useful to talk about and quantify measure of security in this way.

You can see Michael's complete presentation from EuroCrypt 2018 here.

About the Author

Kristina is an experienced tech writer and researcher with a keen interest in cybersecurity for businesses and the general public.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback
Comment Comment must be from 5 to 2500 characters long.