[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lengths and strengths
> From: Hilarie Orman <ho@cs.arizona.edu>
> > As to elliptic curves, 155 bits of length or 155 bits of strength?
>
> That's 155/2 bits of strength.
>
Hmmm, that's only good enough for DES and/or MD5, not 3DES and/or SHA.
Do you have any stronger groups we could use instead?
> elliptic curves becomes more pronounced as the *length* of the shared
> secret (the modulus) increases. We found the break-even point to be
> 512 bits for mod p vs. 155 bits for EC. If you use 1024 bit or 2048
> bit mod p systems, the corresponding EC's are much more efficient.
>
Let's use the corresponding EC's then, please. We aren't even using
512 bit moduli for ModExp.
> > > As for the upper bits, the attacker has read the Photuris spec and
> > > knows that small exponents are recommended for efficiency.
> > >
> > Hmmm, have to think about that. Actually, I think it was the number of
> > 1 bits.... Maybe we could still have very large exponents.
>
> This is actually an interesting suggestion, but it probably doesn't win.
> You can get 64-bits of strength by dispersing 19 bits at random in 1024.
> This makes one part of the DH computation very fast, but it slows down the
> other substantially.
>
Which half? I'm only concerned about the speed of shared-secret
generation, not public key computation (precomputed in background).
Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: