[Cryptography] NSA and cryptanalysis
Perry E. Metzger
perry at piermont.com
Mon Sep 2 13:25:38 EDT 2013
On Mon, 2 Sep 2013 00:06:21 -0400 Jerry Leichter <leichter at lrw.com>
wrote:
> - To let's look at what they want for TOP SECRET. First off, RSA -
> accepted for a transition period for SECRET, and then only with
> 2048 bit moduli, which until the last year or so were almost
> unknown in commercial settings - is completely out for TOP SECRET.
> So clearly they're faith in RSA is gone.
That is a misunderstanding.
If you look at the way that the NSA specs these things, they try to
keep all portions of a system of equal security so none is the weak
point. A 2048 bit RSA key is factored vastly more easily than a 256
bit AES key is brute forced (that's just public knowledge -- try doing
the back of the envelope yourself) so that size key would be
insufficient. However, a sufficiently large RSA key to be "correctly
sized" for 256 bit AES is totally impractical for performance reasons,
see:
http://www.nsa.gov/business/programs/elliptic_curve.shtml
So clearly the purpose of pushing ECC for this application is that
they want the public key algorithm and its key size to have comparable
security while both performing reasonably well.
> (Same for DH and DSA.)
> It looks as if they are betting that factoring and discrete logs
> over the integers aren't as hard as people had thought.
Not at all, and the rationale is public and seen above.
I believe you're incorrectly claiming that we know much less than we
actually do here.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list