[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: length of exponents

To: ipsec@ans.net
Subject: Re: length of exponents
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Fri, 1 Dec 95 14:29:00 GMT

> From: David A Wagner <daw@CS.Berkeley.EDU>
> hugo@watson.ibm.com writes:
> > If one uses 160 long exponents the security becomes at most 2^80 because
> > of Shanks/Pollard attacks that require roughly 2^{t/2} operations to find an
> > exponent whose length is t (this number is independent of the modulus
> > length).
>
> I think this is sound advice.
>
Good, then I'm sure that you both will support the fact that at least
the past two draft revisions already state [page 48]:

         Exponent lengths
         of 196 to 256 bits are recommended.

That seems to be a fair bit more than 128 and/or 160.  It is in line
with the estimated strength of the modulus, which is the driving factor.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: Re: long lifetime SPI's
Next by Date: length of exponents
Prev by thread: Re: length of exponents
Next by thread: length of exponents
Index(es):
- Main
- Thread