[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3DES keys
> Both parties must agree on the minimum acceptable exponent size. It
> is not enough for one party to say "I need 56 bits of key so I'll use
> a 112 bit exponent" and for the other to say "I need 112 bits of key
> so I'll use a 224 bit exponent." The resulting strength would be the
> lesser of the two choices. So, if both parties want to get keys from
> one DH exchange, they've got to agree on the goal.
May I suggest choosing fixed exponent and other parameters that would
provide 256 bits of keying material (and a mechanism for agreeing on
extensions in future to cope e.g. with improved factoring methods).
For each algorithm you use as much of that as you need. I am worried
that the complexity may get out of hands. KISS (Keep It Simple
Stupid).
Slight performance improvements may be insufficient justification for
the added complexity. A 512 bit exponentiation takes much less than a
second on a 486; is there any real need to to ever use anything
smaller? This would provide enough key material and would avoid all
the complications.
Why not just say: the minimum exponent is 512 bits.
I am not familiar with elliptic curves, and it is not clear to me what
the speed tradeoff is with them.
Tatu Ylonen <ylo@cs.hut.fi>
References: