[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES draft query



This same draft also recommends 248-bit Elliptic Curve Diffie-Hellmans
(ECDH) for 128-bit AES, 376-bit ECDH for 192-bit AES, and 504-bit ECDH for
256-bit AES.  

However, note that Appendix 6 to FIPS 188-2 recommends ECDH modulus sizes
that are a slightly larger than the those recommended in this draft.
Appendix 6 to FIPS 188-2 recommends 283-bit Elliptic Curve Diffie-Hellmans
(ECDH) for 128-bit AES, 409-bit ECDH for 192-bit AES, and 571-bit ECDH for
256-bit AES over a "Binary Field" and 256-bit Elliptic Curve
Diffie-Hellmans (ECDH) for 128-bit AES, 384-bit ECDH for 192-bit AES, and
521-bit ECDH for 256-bit AES over a "Prime Field". 

Francois Rousseau

At 06:29 AM 16/03/00 -0800, Walker, Jesse wrote:
>Page 9 of the draft recommends 3240-bit Diffie-Hellmans for 128-bit AES,
>7945-bit Diffie-Hellmans for 192-bit AES, and 15430-bit Diffie-Hellmans for
>256-bit AES. It is worth discussing whether these requirements address a
>real perceived threat or are at best theoretical in nature. While the defers
>the discussion on how they were derived to a reference, it is easy enough to
>guess how they were obtained: select the Diffie-Hellman modulus size at the
>point where computing the discrete logarithm becomes just as expensive as
>attacking the symmetric key directly. However, unlike symmetric algorithms,
>public key operations like Diffie-Hellmans have a real cost, so this may not
>be the best way to set the requirement, even if it is theoretically the
>"right" way to do the job. Even if you believe Moore's law will remain true
>for the forseeable future, 8K and 15K still represent about 9 and 11 more
>generations of processors, respectively, before you get performance most
>users will tolerate. The most credible study I've seen estimating key
>strengths is Lenstra and Verheul's "Selecting Cryptographic Key Sizes",
>November 15, 1999. They estimate that 4K modular exponentiations will still
>be secure from any reasonable attacks for the next 50 years. So why should
>there be a requirement for anything above about 4K Diffie-Hellmans at this
>time? On the point of Diffie-Hellman modulus sizes, the draft's
>requirements seem to be way out of line both in regard to the state of
>technology and in regard to the nature of the perceived possible threats in
>the time frames when the draft will be applicable. What am I missing?
>
>-- Jesse Walker



References: