[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of key derivation thread

To: Russ Housley <housley@vigilsec.com>
Subject: Re: Summary of key derivation thread
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 11 Dec 2002 00:10:54 +0200 (IST)
cc: IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: <5.2.0.9.2.20021210160834.0295d888@mail.binhost.com>
Sender: owner-ipsec@lists.tislabs.com


On Tue, 10 Dec 2002, Russ Housley wrote:

> Hugo:
> 
> Thanks for the clarifications.  More on my second question.
> 
> > > Question 2:  Based on the NIST key management recommendations, a 80 
> > bits of
> > > security is adequate for protecting sensitive government information until
> > > 2015, and 112 bits of security is adequate until 2030.  Which of these
> > > targets is the mandatory-to-implement aiming at?  Or, are we after
> > > something in the middle, say 96 bits?
> >
> >I do not know what the "market answer" to this is.
> >But even if you take the "NIST minimum" of 80, you need to go for
> >a modulus longer than 1024, probably 1200 bits (Hilarie may have precise
> >estimates). For 96 bits you already need to exceed the 2048-bit keys.
> 
> The NIST key management guidance indicates that 1024-bit Diffie-Hellman and 
> 1024-bit RSA provide 80 bits of security.  Are you suggesting that this 
> guidance is way off?
> 
> Russ
> 
> 

I have never computed these things myself. However, according to
Hilarie's draft on PK sizes it takes 2^80 operations to break a 1195-bit
modulus (using NFS), and Lenstra and Veheul estimate the cost of breaking
a 1024-bit group to be 2^72 operations. 

Hugo

References:
- Re: Summary of key derivation thread
  - From: Russ Housley <housley@vigilsec.com>

Prev by Date: Re: Summary of key derivation thread
Next by Date: Re: speaking of keys
Prev by thread: Re: Summary of key derivation thread
Next by thread: Re: Summary of key derivation thread
Index(es):
- Date
- Thread