[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: speaking of keys
Stephen Kent wrote:
>>You only get about 80 bits of strength from a 1024-bit DH group. That
>>seems insufficient for reasonable paranoids.
>>
>>Hilarie
>
>Now I am really puzzled, given the recent messages from David Wagner
>in which 160 bits of entropy was accorded to 1024-bit DH:
>
>>"This objection has already been addressed on the list. Those 1024
>>bits of Diffie-Hellman only have 160 bits of strength (160 bits of
>>"computational entropy"), hence you're not reducing security by hashing
>>it down to 160 bits.
>
>What gives?
I believe Hilarie is right. I meant to say that the 1024-bit DH gives *at
most* 160 bits of strength. My recollection of the true number matches
Hilarie's: about 80-90 bits, as far as I know, under current attacks.
That said, your argument in favor of 1024-bit keys might still be
reasonable. 80-90 bits might be good enough for most purposes, and
larger moduli aren't free. I wouldn't be happy with a block cipher that
is restricted to 80-bit keys, because the cost of increasing a block
cipher's keylength is typically quite small. For IKE, in contrast, if you
want 128-bit security instead of 80-bit security, that incurs some cost.