Re: speaking of keys

[Derrell Piper <ddp@electric-loft.org>]

What's the current state-of-the-art for COTS hardware accelerators?  It 
was the case a few years back that many public-key chips didn't do 
 >1024 bit DH groups.  What's the story today?  Do we care?

Derrell

On Monday, December 9, 2002, at 01:35 PM, Hugo Krawczyk wrote:

> Russ,
>
> I am fine with 1024-bit DH group as must-to-implement today.
> (At least for those that  assume that no attacker is interested to 
> record
> their traffic today and be able to decrypt it in a few years,
> in which case a longer modulus may be recommended.)
> Yet your analogy to signature-key size does not hold.
> Breaking your signatures in two years from now is meaningless if you
> revoked your key/certificates in the meantime.
> In the case of DH, however, the secrecy of the key (if used to derive
> data encryption keys) may need to be protected long after the DH key is
> expired and removed from memory.
> Therefore the security requirements on DH (especially standarized
> groups) are more stringent, in general, than on signatures.
>
> Hugo
>
> On Fri, 6 Dec 2002, Russ Housley wrote:
>
>> Steve:
>>
>> I support your recommendation.  In fact, I was going to make the same
>> recommendation, but for a different reason.  I few weeks ago, we had 
>> a long
>> thread discussing mandatory to implement signature algorithms.  We 
>> decided
>> that RSA with 1024-bit keys will be mandatory to implement.  So, if 
>> 1024
>> bits is adequate for the signature, it seems like 1024 should also be
>> adequate for the key agreement algorithm.
>>
>> Russ
>>
>