lengths and strengths

["William Allen Simpson" <bsimpson@morningstar.com>]

> From: Hilarie Orman <ho@cs.arizona.edu>
> >  As to elliptic curves, 155 bits of length or 155 bits of strength?
>
> That's 155/2 bits of strength.
>
Hmmm, that's only good enough for DES and/or MD5, not 3DES and/or SHA.

Do you have any stronger groups we could use instead?


> elliptic curves becomes more pronounced as the *length* of the shared
> secret (the modulus) increases.  We found the break-even point to be
> 512 bits for mod p vs.  155 bits for EC.  If you use 1024 bit or 2048
> bit mod p systems, the corresponding EC's are much more efficient.
>
Let's use the corresponding EC's then, please.  We aren't even using
512 bit moduli for ModExp.


> >  > As for the upper bits, the attacker has read the Photuris spec and
> >  > knows that small exponents are recommended for efficiency.
> >  >
> >  Hmmm, have to think about that.  Actually, I think it was the number of
> >  1 bits....  Maybe we could still have very large exponents.
>
> This is actually an interesting suggestion, but it probably doesn't win.
> You can get 64-bits of strength by dispersing 19 bits at random in 1024.
> This makes one part of the DH computation very fast, but it slows down the
> other substantially.
>
Which half?  I'm only concerned about the speed of shared-secret
generation, not public key computation (precomputed in background).

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

---

Follow-Ups:

• Re: lengths and strengths
• From: Hilarie Orman <ho@cs.arizona.edu>

---

• Prev by Date: Re: 3DES keys
• Next by Date: final formats?
• Prev by thread: SKIP interoperabililty
• Next by thread: Re: lengths and strengths
• Index(es):
  • Main
  • Thread