[Cryptography] RSA equivalent key length/strength

[ianG]

On 22/09/13 03:07 AM, Patrick Pelletier wrote:
> On 9/14/13 11:38 AM, Adam Back wrote:
>
>> Tin foil or not: maybe its time for 3072 RSA/DH and 384/512 ECC?
>
> I'm inclined to agree with you, but you might be interested/horrified in
> the "1024 bits is enough for anyone" debate currently unfolding on the
> TLS list:
>
> http://www.ietf.org/mail-archive/web/tls/current/msg10009.html


1024 bits is pretty good, and there's some science that says it's about 
right.  E.g., risk management says there is little point in making a 
steel door inside a wicker frame.

The problem is more to do with distraction than anything else.  It is a 
problem that people will argue about the numbers, because they can 
compare numbers, far more than they will argue about the essentials. 
There is a psychological bias to beat ones chest about how tough one is 
on the numbers, and thus prove one is better at this game than the enemy.

Unfortunately, in cryptography, almost always, other factors matter more.

So, while you're all arguing about 1024 versus 4096, what you're not 
doing is delivering a good system.  That delay feeds in to the customer 
equation, and the result is less security.  Even when you finally 
compromise on 1964.13 bits, the result is still less security, because 
of other issues like delays.


> and there was a similar discussion on the OpenSSL list recently, with
> GnuTLS getting "blamed" for using the ECRYPT recommendations rather than
> 1024:
>
> http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html


Yeah, they are getting confused (compatibility failures) from too much 
choice.  Never a good idea.  Take out the choice.  One number.  Get back 
to work.



iang