Lucky's 1024-bit post [was: RE: objectivity and factoring analysis]

[Bill Stewart]

At 08:52 AM 04/24/2002 +0800, Enzo Michelangeli wrote:
>In particular, none of the naysayers explained me clearly why it should be
>reasonable to use 256-bit ciphers like AES with 1024-bit PK keypairs. Even
>before Bernstein's papers it was widely accepted that bruteforcing a 256-bit
>cipher requires computing power equivalent to ~16Kbit RSA or DH keys (and
>~~512-bit ECC keys). Given that a cipher protects only one session,

*Something* has to be the weakest link; calls for balance really come down to
"If Algorithm A is already the stronger part of the system,
why should I waste extra time/work strengthening it instead of Algorithm B?".
It doesn't hurt to make parts of the system stronger than necessary,
unless there are other costs like limiting the sizes of the other keys
that can fit in a UDP packet or whatever.   And making the AES algorithm
use longer-than-needed keys gives you some extra insurance against
mathematical breakthroughs or other sorts of discovered weaknesses.

The important issue about whether you can use X-bit block cyphers with
Y-bit public-key cyphers is whether Y bits of PK can give you X good key bits.
For Diffie-Hellman, the conventional wisdom seems to be that
Y bits of public key gives you Y/2 bits of usable keying material,
which means that 1024-bit DH is good enough for 256-bit AES.
For RSA, I think you can protect almost up to pubkeylength bits of message,
since the key generation happens separately from the public-key parts,
but you're definitely into overkill range.

So the question falls back to "Is 1024 bits long enough?".




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com