[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security

John Gilmore gnu at toad.com
Sat Aug 15 14:54:09 EDT 2015


> Right now we do have a defacto consensus algorithm suite:
> 
> SHA-2-256
> HMAC-SHA-2-256
> AES128 CBC
> RSA-2048
> ECDH-256
> 
> The main problem with this set is the RSA part and in particular key
> generation which is difficult and painful. The strength is not ideal either
> and RSA really hits diminishing returns above 2048 bits.

This seems like yet another example of Binary RSA Myopia.

If the cost of RSA at 2048 bits is too high, why not use 2016 bits?
Or 1984 bits?  Or 1600 bits?  Or 1216 bits?  (NSA's 1024-bit RSA-
cracker won't work on a 1216-bit prime.  It probably won't even work on 
a 1056-bit prime, since myopia has caused fools to 'standardize' on
1024-bit keys and now a huge majority of TLS keys are 1024 bits.)

And I'm not sure why you say 'RSA really hits diminishing returns
above 2048 bits".  Do you mean, using myopia, that you don't think the
price/performance of 4096 bits is worthwhile?  Then why didn't you say
so?  My RSA OpenPGP key has 3200 bits and it seems to have no
difficulties in price/performance or interoperation.

	John


More information about the cryptography mailing list