[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES draft query




Judging from the estimates in Lenstra-Verheul's 
[LV, http://www.cryptosavvy.com/cryptosizes.pdf] paper for modp
groups, DH modulus lengths in the range of 1500-2000 bits should be
suitable today for securing information that requires 20-30 years range
protection. Barring major (possibly disastrous) cryptnalytical advances, I
find their analysis to be quite reasonable (at least in what concerns DH
modp sizes). They assume future DH cryptanalysis to progress at a rate
similar to the cryptanalytical advances seen in the last 10-20 years; 
same for computing costs. The desired security level is modelled through
an attacker that in 2000's costs is able to spend 16 Million PC-years in
the attack. This seems to be a quite powerful attacker, certainly in terms
of commercial security.

Thus, it seems to me that for MOST commercial applications the above 
range of DH prime size is convincingly sufficient.  This
is in strong contrast with draft-ietf-ipsec-ciph-aes-cbc-00.txt that
specifies 3240-bit DH primes to be used before the end of 2000 (when
128-bit AES will be adopted), not to speak of 8000 and 15000 bits 
recommended in that draft for longer AES keys.
Actually, the [LV] estimates consider a 3400-bit modulus to be a safe
choice even for 50-year security.

In my opinion overkill sizes can kill security all together. 
The performance penalty may drive people to abandon security
or to weak it by skipping some mechanisms (after all who is using 
DH in SSL today?)
I also doubt that anyone REALLY requiring 50-year range secrecy should be
using public key algorithms to establish keys. Such specialized
applications do not usually happen between "spontaneous partners".
In these cases, strong physically protected shared keys may well do the
job. (You can use a CD-ROM full of one-time random bits or use a shorter
manually installed key and "triple-encrypt" data with three of your 
favorite block ciphers.)

Of course I am taking a chance by questioning 
draft-ietf-ipsec-ciph-aes-cbc-00.txt recommendations. 
After all they may prove to be correct in 10 (or less) years from now. 
But then it is not clear that even their recommended sizes will suffice.
Except, of course, if the guys from NIST know something we do not know... :)

Finally, a word about recommendations regarding Elliptic-Curve 
algorithms (in particular in draft-ietf-ipsec-ciph-aes-cbc-00.txt).  
To me the recommendations regarding these groups are in sharp contrast 
with the conservative numbers used for the modp groups.  They basically 
assume that NO significant cryptanalytical advance will happen in 
this area in the next 20-50 years. That's HARD to believe.  Note 
that cryptanalytical advances against EC systems are happening all 
the time. So far they only concerned special-type groups, but we are 
quite in the infancy of this research (if we compare the amount of 
research and resources spent on EC cryptosystems relative to those 
spent so far on factoring and Dlog). A significant cryptanalytical 
advance regarding the proposed EC systems will easily render these 
groups totally insecure since no safety margin was planned ahead.

[One can use the following analogy regarding modp vs EC groups: 
consider a city like San Francisco, where buildings are built to 
withstand some significant level of seismic activity, and another 
city that never suffered an earthquake.  While it may seem safer to 
live in the later city, let's imagine that one day you are told that 
an earthquake of unknown strength is going to happen at both places, 
and you must be in one of them. Which city would you choose?]

This is not to say that one should abandon EC groups; I only recommend
care. For example, I would feel comfortable with current-size groups for
short-term secrecy, I would go for a much larger safety margin 
for mid-term security, and would go with my CD-ROM for long-term security...

Hugo





References: