[Cryptography] NSA and cryptanalysis

Jack Lloyd lloyd at randombit.net
Mon Sep 2 18:06:04 EDT 2013

On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:

> a) The very reference you give says that to be equivalent to 128
> bits symmetric, you'd need a 3072 bit RSA key - but they require a
> 2048 bit key.  And the same reference says that to be equivalent to
> 256 bits symmetric, you need a 521 bit ECC key - and yet they
> recommend 384 bits.  So, no, even by that page, they are not
> recommending "equivalent" key sizes - and in fact the page says just
> that.

Suite B is specified for 128 and 192 bit security levels, with the 192
bit level using ECC-384, SHA-384, and AES-256. So it seems like if
there is a hint to be drawn from the Suite B params, it's about

> (b) most of the Internet is way behind recommendations that are now
> out there for everyone.  Google recently switched to 2048 bit keys;
> hardly any other sites have done so, and some older software even
> has trouble talking to Google as a result.

Not to mention that our entire PKI system (as well as TLS < 1.2, ie
the versions actually supported in browsers) rely on the security of
SHA-1, an algorithm which has a public 2**68 (IIRC) collision attack
and which was phased out by NIST years ago.

Fortunately now TLS 1.2 is finally being forced into most browsers
thanks to BEAST, Lucky13, RC4 breaks, etc but still we're bound to see
some major problems on the PKI side when a practical chosen prefix
SHA-1 collision is found, as I expect at least a few widely used CAs
have still not adopted randomized serial numbers and will have the MD5
experience all over again.

> On the symmetric side, I've already agreed that NSA's approval
> indicated that the considered AES secure 10 years ago, but if
> they've since learned otherwise but think they are and will remain
> the only ones with a viable attack for a while, they would be
> unlikely to admit it by changing their recommendation now.

Worth noting that NIST has announced plans to create AEAD modes based
on Keccak. It will be interesting to see how quickly AES-GCM is phased
out of Suite B once that occurs.


More information about the cryptography mailing list