NSA Suite B Cryptography

Alexander Klimov alserkli at inbox.ru
Fri Oct 14 15:28:51 EDT 2005

On Fri, 14 Oct 2005, Steven M. Bellovin wrote:
> Precisely.  NSA's actions here are independent of whether or not they
> like open source software on other criteria.  They've determined that
> ECC presents a better cost-benefit tradeoff.  We all understand, I
> think, why they're not enamored with 1024-bit RSA.  Doubling the key
> size means a ~8x performance hit for the signer and 4x for the
> verifier; they need to worry about embedded devices such as secure
> phones, sensors, and things like smart landmines.

I guess that for common people there is no real problem with RSA in
next twenty years:
 * according to NIST [1] RSA-1024 is OK through 2010 and RSA-2048 is
   OK through 2030;
 * even now it takes only about 30 ms for an RSA-2048 decryption /
   signing on a PC [2] and the performance of mobiles is in the same
   range (~100 ms) due to dedicated coprocessors;
 * in most modern applications 256 bytes is not an issue.

Unfortunately, for Top Secret traffic they need 192-bit security that
is RSA-7680 [1] and so they want ECC *right now*.

[1] Recommendation for Key Management -- Part 1: General
    NIST Special Publication 800-57

[2] Crypto++ 5.2.1 Benchmarks

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list