[Cryptography] RSA equivalent key length/strength
John Kelsey
crypto.jmk at gmail.com
Wed Oct 2 10:59:24 EDT 2013
On Oct 2, 2013, at 9:54 AM, Paul Crowley <paul at ciphergoth.org> wrote:
> On 30 September 2013 23:35, John Kelsey <crypto.jmk at gmail.com> wrote:
>> If there is a weak curve class of greater than about 2^{80} that NSA knew about 15 years ago and were sure nobody were ever going to find that weak curve class and exploit it to break classified communications protected by it, then they could have generated 2^{80} or so seeds to hit that weak curve class.
>
> If the NSA's attack involves generating some sort of collision between a curve and something else over a 160-bit space, they wouldn't have to be worried that someone else would find and attack that "weak curve class" with less than 2^160 work.
I don't know enough about elliptic curves to have an intelligent opinion on whether this is possible. Has anyone worked out a way to do this?
The big question is how much work would have had to be done. If you're talking about a birthday collision on the curve parameters, is that a collision on a 160 bit value, or on a 224 or 256 or 384 or 512 bit value? I can believe NSA doing a 2^{80} search 15 years ago, but I think it would have had to be a top priority. There is no way they were doing 2^{112} searches 15 years ago, as far as I can see.
--John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131002/aead1249/attachment.html>
More information about the cryptography
mailing list