[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: speaking of keys

To: ipsec@lists.tislabs.com
Subject: Re: speaking of keys
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 6 Dec 2002 19:23:48 GMT
Distribution: isaac
Newsgroups: isaac.lists.ipsec
Organization: University of California, Berkeley
References: <200212061737.gB6Hbw706193@localhost.localdomain> <p0510030fba16946c6846@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent  wrote:
>>You only get about 80 bits of strength from a 1024-bit DH group.  That
>>seems insufficient for reasonable paranoids.
>>
>>Hilarie
>
>Now I am really puzzled, given the recent messages from David Wagner 
>in which 160 bits of entropy was accorded to 1024-bit DH:
>
>>"This objection has already been addressed on the list.  Those 1024
>>bits of Diffie-Hellman only have 160 bits of strength (160 bits of
>>"computational entropy"), hence you're not reducing security by hashing
>>it down to 160 bits.
>
>What gives?

I believe Hilarie is right.  I meant to say that the 1024-bit DH gives *at
most* 160 bits of strength.  My recollection of the true number matches
Hilarie's: about 80-90 bits, as far as I know, under current attacks.

That said, your argument in favor of 1024-bit keys might still be
reasonable.  80-90 bits might be good enough for most purposes, and
larger moduli aren't free.  I wouldn't be happy with a block cipher that
is restricted to 80-bit keys, because the cost of increasing a block
cipher's keylength is typically quite small.  For IKE, in contrast, if you
want 128-bit security instead of 80-bit security, that incurs some cost.

References:
- Re: speaking of keys
  - From: "The Purple Streak, Hilarie Orman" <ho@alum.mit.edu>
- Re: speaking of keys
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Summary of key derivation thread
Next by Date: Re: speaking of keys
Prev by thread: Re: speaking of keys
Next by thread: Re: speaking of keys
Index(es):
- Date
- Thread