[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE entropy issues with long keys
In message <sditmp3txl.fsf@wanderer.hardakers.net>, Wes Hardaker writes:
>>>>>> On Fri, 2 Feb 2001 17:53:13 -0500, "Andrew Krywaniuk" <andrew.krywaniuk@
>alcatel.com> said:
>
>
>Also, IMHO, The "2^128 is large enough" response is a silly one. If
>that were true, we wouldn't bother developing new algorithms with
>longer key lengths. The AES requirements required longer key lengths
>for a reason. Currently unknown attacks may reduce the functional key
>space of an algorithm to something that is computationally feasible.
>--
Well, some of us don't think that AES needed 256-bit keys...
More to the point, I'm by no means excluding new attacks. In
particular, attacks that produce some of the key bits but require
brute-force searches of the remaining bits are not at all implausible.
What I had said is that cryptanalytic actiity of order 2^128 operations
is infeasible, whether for factoring or for finding AES keys. An
attack that lowers the workload for factoring almost certainly does not
reduce the difficulty of finding an AES key by the same amount, though
of course it does lower the difficulty of getting at the plaintext.
Put another way, matching the factoring (or discrete log) workloads
isn't interesting unless you think that an attacker can must that much
work, of either sort. You allow headroom for either or both only to
the extent that you are afraid of breakthroughs that will lower the
amount of work needed. But except for a straight Moore's Law play, the
two don't need to match.
--Steve Bellovin, http://www.research.att.com/~smb