[Cryptography] NSA and cryptanalysis
Jon Callas
jon at callas.org
Tue Sep 3 00:49:29 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 2, 2013, at 3:06 PM, "Jack Lloyd" <lloyd at randombit.net> wrote:
> On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:
>
>> a) The very reference you give says that to be equivalent to 128
>> bits symmetric, you'd need a 3072 bit RSA key - but they require a
>> 2048 bit key. And the same reference says that to be equivalent to
>> 256 bits symmetric, you need a 521 bit ECC key - and yet they
>> recommend 384 bits. So, no, even by that page, they are not
>> recommending "equivalent" key sizes - and in fact the page says just
>> that.
>
> Suite B is specified for 128 and 192 bit security levels, with the 192
> bit level using ECC-384, SHA-384, and AES-256. So it seems like if
> there is a hint to be drawn from the Suite B params, it's about
> AES-192.
>
The real issue is that the P-521 curve has IP against it, so if you want to use freely usable curves, you're stuck with P-256 and P-384 until some more patents expire. That's more of it than 192 bit security. We can hold our noses and use P-384 and AES-256 for a while.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSJWpasTedWZOD3gYRAjMtAKD/W9IPWtI8qwpP7w0v1aX9BgrwHACeMsRl
594r4LFPCTsIA9+xBUk4/5Q=
=RGYR
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list