[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IV sizes for AES candidates

That 15K bit DH modulus for deriving large symmetric keys is exactly
why elliptic curve groups are so important.  The computation cost
is exponential in the size of the modulus and the EC modulus for
equivalent strength is much smaller.  Palatable, even.

Whether or not 256 bits of symmetric key buys you more than 128 bits
is determined by the requirements for the duration of secrecy and
predictions of future technology.  We lose somewhere between 
2/3 and 1 bit per year, so 128 bits might just not last for the amount
of time between DES and AES.  At this moment, 256 bits looks good
for 50 years, even assuming a radical breakthrough in computing