NSA Suite B Cryptography
Alexander Klimov
alserkli at inbox.ru
Fri Oct 14 15:28:51 EDT 2005
On Fri, 14 Oct 2005, Steven M. Bellovin wrote:
> Precisely. NSA's actions here are independent of whether or not they
> like open source software on other criteria. They've determined that
> ECC presents a better cost-benefit tradeoff. We all understand, I
> think, why they're not enamored with 1024-bit RSA. Doubling the key
> size means a ~8x performance hit for the signer and 4x for the
> verifier; they need to worry about embedded devices such as secure
> phones, sensors, and things like smart landmines.
I guess that for common people there is no real problem with RSA in
next twenty years:
* according to NIST [1] RSA-1024 is OK through 2010 and RSA-2048 is
OK through 2030;
* even now it takes only about 30 ms for an RSA-2048 decryption /
signing on a PC [2] and the performance of mobiles is in the same
range (~100 ms) due to dedicated coprocessors;
* in most modern applications 256 bytes is not an issue.
Unfortunately, for Top Secret traffic they need 192-bit security that
is RSA-7680 [1] and so they want ECC *right now*.
[1] Recommendation for Key Management -- Part 1: General
NIST Special Publication 800-57
http://csrc.nist.gov/CryptoToolkit/kms/SP800-57Part1August2005.pdf
[2] Crypto++ 5.2.1 Benchmarks
http://www.eskimo.com/~weidai/benchmarks.html
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list