[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3DES keys
> As to elliptic curves, 155 bits of length or 155 bits of strength?
That's 155/2 bits of strength.
> > As for the upper bits, the attacker has read the Photuris spec and
> > knows that small exponents are recommended for efficiency.
> >
> Hmmm, have to think about that. Actually, I think it was the number of
> 1 bits.... Maybe we could still have very large exponents.
This is actually an interesting suggestion, but it probably doesn't win.
You can get 64-bits of strength by dispersing 19 bits at random in 1024.
This makes one part of the DH computation very fast, but it slows down the
other substantially.
> In Photuris, all the keys are generated by hashing from the
> shared-secret. Assume the shared-secret length is 128-bits, and its
> strength is therefore 64-bits. But given MD5, its 128-bit length
> birthday attack is also 64-bit strength.
Yes, that's true.
> So, I don't understand why one would use more than 128 bits for the
> length of the shared-secret. Why would the conservative advice be 256
> bit length?
The title of the thread is 3DES keys. That's 112 bits * 2 = 224 bits of
exponent.
Separately Tatu Ylonen in <199509301605.SAA09672@shadows.cs.hut.fi>
asks about the speed tradeoff for elliptic curves. The advantage of
elliptic curves becomes more pronounced as the *length* of the shared
secret (the modulus) increases. We found the break-even point to be
512 bits for mod p vs. 155 bits for EC. If you use 1024 bit or 2048
bit mod p systems, the corresponding EC's are much more efficient.
References:
- Re: 3DES keys
- From: "William Allen Simpson" <bsimpson@morningstar.com>