[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of key derivation thread
David Wagner wrote:
>This objection has already been addressed on the list. Those 1024
>bits of Diffie-Hellman only have 160 bits of strength (160 bits of
>"computational entropy"), hence you're not reducing security by hashing
>it down to 160 bits.
>
>Indeed, in some sense you are improving security by hashing the 1024-bit
>Diffie-Hellman result down to a 160-bit security, just as Hugo's earlier
>note pointed out. Can I encourage you to re-read Hugo's earlier emails
>on this topic? I hope you will find them persuasive. (I certainly did.)
I do not think we can select mandatory-to-implement algorithms without
agreement on the level of security that we are attempting to provide. In
my mind, this leads to two interrelated questions.
First a summary of the consensus. A 1024-bit Diffie-Hellman result has 160
bits of entropy. HMAC-SHA-1 has a 160-bit output value, so there is a good
impedance match here. This provides 80 bits of strength. By now, I think
that people who have been reading this thread carefully have gotten these
points.
Question 1: Currently, the mandatory-to-implement requirement is bigger
than 1024-bit Diffie-Hellman. So, with the larger value, is a different
PRF needed to obtain a similar impedance match?
Question 2: Based on the NIST key management recommendations, a 80 bits of
security is adequate for protecting sensitive government information until
2015, and 112 bits of security is adequate until 2030. Which of these
targets is the mandatory-to-implement aiming at? Or, are we after
something in the middle, say 96 bits?
Russ