[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IV sizes for AES candidates

To: <sheila.frankel@nist.gov>, <smb@research.att.com>
Subject: Re: IV sizes for AES candidates
From: "Hilarie Orman" <HORMAN@novell.com>
Date: Tue, 08 Aug 2000 10:44:10 -0600
Cc: <jeff@allegrosys.com>, <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

That 15K bit DH modulus for deriving large symmetric keys is exactly
why elliptic curve groups are so important.  The computation cost
is exponential in the size of the modulus and the EC modulus for
equivalent strength is much smaller.  Palatable, even.

Whether or not 256 bits of symmetric key buys you more than 128 bits
is determined by the requirements for the duration of secrecy and
predictions of future technology.  We lose somewhere between 
2/3 and 1 bit per year, so 128 bits might just not last for the amount
of time between DES and AES.  At this moment, 256 bits looks good
for 50 years, even assuming a radical breakthrough in computing
devices.

Hilarie

Prev by Date: Re: Heartbeats Straw Poll
Next by Date: RE: Heartbeats Straw Poll
Prev by thread: Re: IV sizes for AES candidates
Next by thread: RE: IV sizes for AES candidates
Index(es):
- Main
- Thread