[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES keys

To: ho@cs.arizona.edu
Subject: Re: 3DES keys
From: Tatu Ylonen <ylo@cs.hut.fi>
Date: Sat, 30 Sep 1995 18:05:52 +0200
Cc: bsimpson@morningstar.com, ipsec@ans.net
In-Reply-To: <199509291946.AA25214@interlock.ans.net> (ho@cs.arizona.edu)
Organization: Helsinki University of Technology, Finland

> Both parties must agree on the minimum acceptable exponent size.  It
> is not enough for one party to say "I need 56 bits of key so I'll use
> a 112 bit exponent" and for the other to say "I need 112 bits of key
> so I'll use a 224 bit exponent."  The resulting strength would be the
> lesser of the two choices.  So, if both parties want to get keys from
> one DH exchange, they've got to agree on the goal.

May I suggest choosing fixed exponent and other parameters that would
provide 256 bits of keying material (and a mechanism for agreeing on
extensions in future to cope e.g. with improved factoring methods).
For each algorithm you use as much of that as you need.  I am worried
that the complexity may get out of hands.  KISS (Keep It Simple
Stupid).

Slight performance improvements may be insufficient justification for
the added complexity.  A 512 bit exponentiation takes much less than a
second on a 486; is there any real need to to ever use anything
smaller?  This would provide enough key material and would avoid all
the complications.

Why not just say: the minimum exponent is 512 bits.

I am not familiar with elliptic curves, and it is not clear to me what
the speed tradeoff is with them.

    Tatu Ylonen <ylo@cs.hut.fi>

References:

Re: 3DES keys

From: Hilarie Orman <ho@cs.arizona.edu>

Prev by Date: Re: 3DES keys
Next by Date: Re: 3DES keys
Prev by thread: Re: 3DES keys
Next by thread: Re[2]: 3DES keys
Index(es):
- Main
- Thread