[Cryptography] NSA and cryptanalysis

Jon Callas jon at callas.org
Tue Sep 3 00:49:29 EDT 2013

Hash: SHA1

On Sep 2, 2013, at 3:06 PM, "Jack Lloyd" <lloyd at randombit.net> wrote:

> On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:
>> a) The very reference you give says that to be equivalent to 128
>> bits symmetric, you'd need a 3072 bit RSA key - but they require a
>> 2048 bit key.  And the same reference says that to be equivalent to
>> 256 bits symmetric, you need a 521 bit ECC key - and yet they
>> recommend 384 bits.  So, no, even by that page, they are not
>> recommending "equivalent" key sizes - and in fact the page says just
>> that.
> Suite B is specified for 128 and 192 bit security levels, with the 192
> bit level using ECC-384, SHA-384, and AES-256. So it seems like if
> there is a hint to be drawn from the Suite B params, it's about
> AES-192.

The real issue is that the P-521 curve has IP against it, so if you want to use freely usable curves, you're stuck with P-256 and P-384 until some more patents expire. That's more of it than 192 bit security. We can hold our noses and use P-384 and AES-256 for a while.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list