[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3DES keys
> From: Hilarie Orman <ho@cs.arizona.edu>
> Yes, but there number of bits of uncertainity here isn't the same as
> the strength, or work factor for breaking the system. It's often the
> case in cryptography that things don't add up this way. In DH, you've
> got g^x and g^y traveling over the wire, and the secret is g^(xy).
> Revealing either x or y will unravel the secret. So if the work
> factor for solving g^y for y is less than the work factor for solving
> g^x for x, then g^y is the weak link.
>
I'd forgotten that. I'll put some text in the Mod Exp section.
As to elliptic curves, 155 bits of length or 155 bits of strength?
> As for the upper bits, the attacker has read the Photuris spec and
> knows that small exponents are recommended for efficiency.
>
Hmmm, have to think about that. Actually, I think it was the number of
1 bits.... Maybe we could still have very large exponents.
> If you use 128 bits of exponent with DH, this has a strength of only 64 bits.
> This is because the time to solve a discrete log problem, using known
> techniques, is the square root of the exponent space. So if you used
> 64-bit exponents to get 64-bit keys, the attacker would have a work factor
> of only 2^32 to crack the DH, which would be disappointing to the user
> of the crypto algorithm, who thought the work factor was close to the key
> length.
>
Now again, I still don't understand this well enough to write about it.
In Photuris, all the keys are generated by hashing from the
shared-secret. Assume the shared-secret length is 128-bits, and its
strength is therefore 64-bits. But given MD5, its 128-bit length
birthday attack is also 64-bit strength.
So, I don't understand why one would use more than 128 bits for the
length of the shared-secret. Why would the conservative advice be 256
bit length?
Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: