Re: Summary of key derivation thread

[Russ Housley <housley@vigilsec.com>]

David Wagner wrote:
>This objection has already been addressed on the list.  Those 1024
>bits of Diffie-Hellman only have 160 bits of strength (160 bits of
>"computational entropy"), hence you're not reducing security by hashing
>it down to 160 bits.
>
>Indeed, in some sense you are improving security by hashing the 1024-bit
>Diffie-Hellman result down to a 160-bit security, just as Hugo's earlier
>note pointed out.  Can I encourage you to re-read Hugo's earlier emails
>on this topic?  I hope you will find them persuasive.  (I certainly did.)

I do not think we can select mandatory-to-implement algorithms without 
agreement on the level of security that we are attempting to provide.  In 
my mind, this leads to two interrelated questions.

First a summary of the consensus.  A 1024-bit Diffie-Hellman result has 160 
bits of entropy.  HMAC-SHA-1 has a 160-bit output value, so there is a good 
impedance match here.  This provides 80 bits of strength.  By now, I think 
that people who have been reading this thread carefully have gotten these 
points.

Question 1:  Currently, the mandatory-to-implement requirement is bigger 
than 1024-bit Diffie-Hellman.  So, with the larger value, is a different 
PRF needed to obtain a similar impedance match?

Question 2:  Based on the NIST key management recommendations, a 80 bits of 
security is adequate for protecting sensitive government information until 
2015, and 112 bits of security is adequate until 2030.  Which of these 
targets is the mandatory-to-implement aiming at?  Or, are we after 
something in the middle, say 96 bits?

Russ