[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE entropy issues with long keys



In message <sditmp3txl.fsf@wanderer.hardakers.net>, Wes Hardaker writes:
>>>>>> On Fri, 2 Feb 2001 17:53:13 -0500, "Andrew Krywaniuk" <andrew.krywaniuk@
>alcatel.com> said:
>
>
>Also, IMHO, The "2^128 is large enough" response is a silly one.  If
>that were true, we wouldn't bother developing new algorithms with
>longer key lengths.  The AES requirements required longer key lengths
>for a reason.  Currently unknown attacks may reduce the functional key
>space of an algorithm to something that is computationally feasible.
>-- 

Well, some of us don't think that AES needed 256-bit keys...

More to the point, I'm by no means excluding new attacks.  In 
particular, attacks that produce some of the key bits but require 
brute-force searches of the remaining bits are not at all implausible.  
What I had said is that cryptanalytic actiity of order 2^128 operations 
is infeasible, whether for factoring or for finding AES keys.  An 
attack that lowers the workload for factoring almost certainly does not 
reduce the difficulty of finding an AES key by the same amount, though 
of course it does lower the difficulty of getting at the plaintext.

Put another way, matching the factoring (or discrete log) workloads 
isn't interesting unless you think that an attacker can must that much 
work, of either sort.  You allow headroom for either or both only to 
the extent that you are afraid of breakthroughs that will lower the 
amount of work needed.  But except for a straight Moore's Law play, the 
two don't need to match.

		--Steve Bellovin, http://www.research.att.com/~smb