[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: length of exponents
> From: David A Wagner <daw@CS.Berkeley.EDU>
> hugo@watson.ibm.com writes:
> > If one uses 160 long exponents the security becomes at most 2^80 because
> > of Shanks/Pollard attacks that require roughly 2^{t/2} operations to find an
> > exponent whose length is t (this number is independent of the modulus
> > length).
>
> I think this is sound advice.
>
Good, then I'm sure that you both will support the fact that at least
the past two draft revisions already state [page 48]:
Exponent lengths
of 196 to 256 bits are recommended.
That seems to be a fair bit more than 128 and/or 160. It is in line
with the estimated strength of the modulus, which is the driving factor.
Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2