Re: AES draft query

["Scott G. Kelly" <sgkelly@ix.netcom.com>]

(posting from home)

While I agree that doing DH using {3240,7945,15340}-bit moduli is a bit
intimidating, and also that some users' security requirements might
permit the use of significantly smaller exponents/moduli, something rubs
me wrong about *recommending* the use of smaller values. After all,
we're guessing about what sort of breakthroughs will be made in PK
attacks over the next n years. While I recognize that a breakthrough
could likewise occur with respect to a brute force attack, there is not
much we can do about this, except to further increase key sizes.

Perhaps a better approach would be to expand the discussion a bit. We
could point out that these are the minimum numbers of bits required to
ensure that a brute force attack on the DH exchange is as difficult as a
brute force attack on an m-random-bit session key, and then briefly
discuss reductions in these values, pointing to Hilarie's and Paul's
draft on the subject. In any event, I think it is appropriate to be as
clear as is practical regarding the bit strength, short of replicating
the above-mentioned key-strength draft's considerations inside of every
new cipher draft.

As an aside, this seems to make a pretty good case for the use of EC's.

Scott

---

Follow-Ups:

• Re: AES draft query
• From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

• AES draft query
• From: "Walker, Jesse" <jesse.walker@intel.com>

---

• Prev by Date: Re: AES draft query
• Next by Date: Re: AES draft query
• Prev by thread: Re: AES draft query
• Next by thread: Re: AES draft query
• Index(es):
  • Main
  • Thread