RE: Rijndael selected as AES

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

> Has it occurred to anyone the silliness of adding AES to
> IPsec/IKE without
> adding larger primes to IKE? There was a discussion in March
> on this list
> with regards to larger primes, but it died out around the time someone
> would need to have written a draft. I believe Tero did post
> the larger DH
> primes to the list. Any volunteers to write that up?

Will,

I'm not sure that is so silly. We did an analysis (based on the data in
Hillarie's paper), which suggested that DH group 5 & 3DES have sufficient
strength to provide protection against brute force in the long term.

The greatest benefit we will derive from AES is performance: 3DES security
at DES speed. Just because AES will have even greater strength than 3DES
doesn't mean we need to match that strength in the DH computation at a huge
performance cost.

The other concern is entropy. Yes, the large key size means that some bits
in the key will be correlated, but that shouldn't be a problem if you trust
your prf function. You would probably derive a greater benefit from
upgrading your prf than from increasing the group size.

Of course it doesn't do any harm to write up the additional groups in a
draft, but I don't think we want to encourage people to actually use them
for most real-world situations.

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.

---

References:

• Re: Rijndael selected as AES
• From: Will Price <wprice@cyphers.net>

---

• Prev by Date: RE: Rijndael selected as AES
• Next by Date: Re: counter mode
• Prev by thread: Re: Rijndael selected as AES
• Next by thread: Re: Rijndael selected as AES
• Index(es):
  • Main
  • Thread