[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES keys



>  For your examples, one party uses 112 bits and the other uses 224,
>  between them they have 336 bits of uncertainty.  Each doesn't care that
>  they have more than needed, only that they got enough.

Yes, but there number of bits of uncertainity here isn't the same as
the strength, or work factor for breaking the system.  It's often the
case in cryptography that things don't add up this way.  In DH, you've
got g^x and g^y traveling over the wire, and the secret is g^(xy).
Revealing either x or y will unravel the secret.  So if the work
factor for solving g^y for y is less than the work factor for solving
g^x for x, then g^y is the weak link.

As for the upper bits, the attacker has read the Photuris spec and
knows that small exponents are recommended for efficiency.

If you use 128 bits of exponent with DH, this has a strength of only 64 bits.
This is because the time to solve a discrete log problem, using known
techniques, is the square root of the exponent space.  So if you used
64-bit exponents to get 64-bit keys, the attacker would have a work factor
of only 2^32 to crack the DH, which would be disappointing to the user
of the crypto algorithm, who thought the work factor was close to the key
length.



References: