[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: <sheila.frankel@nist.gov>, <smb@research.att.com>*Subject*: Re: IV sizes for AES candidates*From*: "Hilarie Orman" <HORMAN@novell.com>*Date*: Tue, 08 Aug 2000 10:44:10 -0600*Cc*: <jeff@allegrosys.com>, <ipsec@lists.tislabs.com>*Sender*: owner-ipsec@lists.tislabs.com

That 15K bit DH modulus for deriving large symmetric keys is exactly why elliptic curve groups are so important. The computation cost is exponential in the size of the modulus and the EC modulus for equivalent strength is much smaller. Palatable, even. Whether or not 256 bits of symmetric key buys you more than 128 bits is determined by the requirements for the duration of secrecy and predictions of future technology. We lose somewhere between 2/3 and 1 bit per year, so 128 bits might just not last for the amount of time between DES and AES. At this moment, 256 bits looks good for 50 years, even assuming a radical breakthrough in computing devices. Hilarie

- Prev by Date:
**Re: Heartbeats Straw Poll** - Next by Date:
**RE: Heartbeats Straw Poll** - Prev by thread:
**Re: IV sizes for AES candidates** - Next by thread:
**RE: IV sizes for AES candidates** - Index(es):