Re: speaking of keys

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

On Fri, 20 Dec 2002, The Purple Streak, Hilarie Orman wrote:

> You get about 8 bits of extra strength going from 1024 to 1280.  You get about
> 17 bits going from 1024 to 1536.

8 (or even 17) bits may sound as very little, but if we consider only
computational advances (not cryptanalytical ones) 8 bits of additional
strength means 12 more years of security in terms of Moore's progress. 
That is, if we consider that computational resources double each 1.5
year, then we have that they quadruple each 3 years. In terms of "bits of
strength" this means that 2 additional bits count for 3 more years of
security.  Thus, 8 bits give you another 12 years and 17 give 25 years.
That is very significant.

Of course (and again) this does not take into account cryptanalytical
advances which is where the highest danger to cryptography lies.
In particular, we do not know when (and by whom) the 1024 -bit DH
standarized groups will be practically broken.

Hugo


> 
> It is ridiculous to consider 1024 for a protocol that will exchange billions
> of keys over the next several years.
> 
> Hilarie
> 
> >  > 
> >  > The draft NIST guidelines do not offer an recommendations on values between
> >  > 1024 and 2048.  However, some interpolation is possible.  I think that we
> >  > should consider 1280 and 1536.
> >  > 
> >  > Russ
> >  Actually, 1280 was one of the values I had thought of, but I don't have
> >    a good intuitive feel for how much stronger it is than 1024.
>