80-bit security? (Was: Re: SHA-1 collisions now at 2^{52}?)
Steven M. Bellovin
smb at cs.columbia.edu
Wed May 6 20:54:34 EDT 2009
On Thu, 30 Apr 2009 17:44:53 -0700
Jon Callas <jon at callas.org> wrote:
> The accepted wisdom
> on 80-bit security (which includes SHA-1, 1024-bit RSA and DSA keys,
> and other things) is that it is to be retired by the end of 2010.
That's an interesting statement from a historical perspective -- is it
true? And what does that say about our ability to predict the future,
and hence to make reasonable decisions on key length?
See, for example, the 1996 report on key lengths, by Blaze, Diffie,
Rivest, Schneier, Shimomura, Thompson, and Wiener, available at
http://www.schneier.com/paper-keylength.html -- was it right?
In 1993, Brickell, Denning, Kent, Maher, and Tuchman's interim report
on Skipjack (I don't believe there was ever a final report) stated that
Skipjack (an 80-bit cipher) was likely to be secure for 30-40 years.
Was it right?
The problem with SHA-1 is not its 80-bit security, but rather that it's
not that strong.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list