[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AES draft query
Page 9 of the draft recommends 3240-bit Diffie-Hellmans for 128-bit AES,
7945-bit Diffie-Hellmans for 192-bit AES, and 15430-bit Diffie-Hellmans for
256-bit AES. It is worth discussing whether these requirements address a
real perceived threat or are at best theoretical in nature. While the defers
the discussion on how they were derived to a reference, it is easy enough to
guess how they were obtained: select the Diffie-Hellman modulus size at the
point where computing the discrete logarithm becomes just as expensive as
attacking the symmetric key directly. However, unlike symmetric algorithms,
public key operations like Diffie-Hellmans have a real cost, so this may not
be the best way to set the requirement, even if it is theoretically the
"right" way to do the job. Even if you believe Moore's law will remain true
for the forseeable future, 8K and 15K still represent about 9 and 11 more
generations of processors, respectively, before you get performance most
users will tolerate. The most credible study I've seen estimating key
strengths is Lenstra and Verheul's "Selecting Cryptographic Key Sizes",
November 15, 1999. They estimate that 4K modular exponentiations will still
be secure from any reasonable attacks for the next 50 years. So why should
there be a requirement for anything above about 4K Diffie-Hellmans at this
time? On the point of Diffie-Hellman modulus sizes, the draft's
requirements seem to be way out of line both in regard to the state of
technology and in regard to the nature of the perceived possible threats in
the time frames when the draft will be applicable. What am I missing?
-- Jesse Walker
Follow-Ups: