[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AES draft query

To: <jesse.walker@intel.com>, <ipsec@lists.tislabs.com>, <jlinn@rsasecurity.com>
Subject: RE: AES draft query
From: "Hilarie Orman" <HORMAN@novell.com>
Date: Fri, 17 Mar 2000 15:42:32 -0700
Sender: owner-ipsec@lists.tislabs.com

These issues are discussed in
draft-orman-public-key-lengths-00.txt
on which commentary is solicited.

Hilarie

>>> "Linn, John" <jlinn@rsasecurity.com> 03/16/00 11:17AM >>>
Jesse,

Good points.  While the incremental cost of additional symmetric key bits
beyond the anticipated state of the art is "almost free", this is very much
not true for increasing the number of asymmetric key bits used to transport
those symmetric keys.  An RSA Laboratories paper with further analysis on
key size issues is now being finalized for web publication, probably within
the next couple of weeks; I'll post a citation when it's available. 

--jl

> -----Original Message-----
> From: Walker, Jesse [mailto:jesse.walker@intel.com] 
> Sent: Thursday, March 16, 2000 9:29 AM
> To: ipsec@lists.tislabs.com 
> Subject: AES draft query
> 
> 
> Page 9 of the draft recommends 3240-bit Diffie-Hellmans for 
> 128-bit AES,
> 7945-bit Diffie-Hellmans for 192-bit AES, and 15430-bit 
> Diffie-Hellmans for
> 256-bit AES. It is worth discussing whether these 
> requirements address a
> real perceived threat or are at best theoretical in nature. 
> While the defers
> the discussion on how they were derived to a reference, it is 
> easy enough to
> guess how they were obtained: select the Diffie-Hellman 
> modulus size at the
> point where computing the discrete logarithm becomes just as 
> expensive as
> attacking the symmetric key directly. However, unlike 
> symmetric algorithms,
> public key operations like Diffie-Hellmans have a real cost, 
> so this may not
> be the best way to set the requirement, even if it is 
> theoretically the
> "right" way to do the job. Even if you believe Moore's law 
> will remain true
> for the forseeable future, 8K and 15K still represent about 9 
> and 11 more
> generations of processors, respectively, before you get 
> performance most
> users will tolerate. The most credible study I've seen estimating key
> strengths is Lenstra and Verheul's "Selecting Cryptographic 
> Key Sizes",
> November 15, 1999. They estimate that 4K modular 
> exponentiations will still
> be secure from any reasonable attacks for the next 50 years. 
> So why should
> there be a requirement for anything above about 4K 
> Diffie-Hellmans at this
> time? On the point of Diffie-Hellman modulus sizes, the draft's
> requirements seem to be way out of line both in regard to the state of
> technology and in regard to the nature of the perceived 
> possible threats in
> the time frames when the draft will be applicable. What am I missing?
> 
> -- Jesse Walker
> 
>

Prev by Date: RE: AES draft query
Next by Date: RE: AES draft query
Prev by thread: RE: AES draft query
Next by thread: RE: AES draft query
Index(es):
- Main
- Thread