Trillian Secure IM
Andrew Odlyzko
odlyzko at dtc.umn.edu
Sat Oct 13 18:28:07 EDT 2007
To add to the reference, a preprint is available online at
http://www.dtc.umn.edu/~odlyzko/doc/arch/prime.discrete.logs.pdf
A companion paper that was used crucially in the solution, "Solving
large sparse linear systems over finite fields," pp. 109-133 in
"Advances in Cryptology - CRYPTO '90," A. J. Menezes and S. A. Vanstone
(eds.), Springer Verlag, Lecture Notes in Computer Science #537 (1991)
is available at
http://www.dtc.umn.edu/~odlyzko/doc/arch/sparse.linear.eqs.pdf
Andrew Odlyzko, http://www.dtc.umn.edu/~odlyzko
> On Fri Oct 12, Steve Bellovin wrote:
On Thu, 11 Oct 2007 21:50:06 -0700
Bill Stewart <bill.stewart at pobox.com> wrote:
>
> > > | Which is by the way exactly the case with SecureIM. How
> > > | hard is it to brute-force 128-bit DH ? My "guesstimate"
> > > | is it's an order of minutes or even seconds, depending
> > > | on CPU resources.
>
> Sun's "Secure NFS" product from the 1980s had 192-bit Diffie-Hellman,
> and a comment in one of the O'Reilly NFS books says that
> "However, by 1990, advances in RISC processors produced
> workstation machines that could, by brute force,
> derive the private key from any public key in under a day."
> but that in 1987 there were still a lot of Motorola 68010 machines
> that took several minutes to generate keys so they didn't want it
> longer. I'm guessing that a 1990 RISC machine was around 50 MIPS,
> so it's maybe 1/100 the speed of a modern single-core CPU.
>
> 128-bit DH sounds like as good a decision as using 40-bit RC4 keys
> would be today.
>
It wasn't just brute force, it was math.
@Article{ nfscrack,
author = {Brian A. LaMacchia and Andrew M. Odlyzko},
journal = {Designs, Codes, and Cryptography},
pages = {46--62},
title = {Computation of Discrete Logarithms in Prime Fields},
volume = {1},
year = {1991},
annote = {Describes how the authors cryptanalyzed Secure RPC.}
}
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list