[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security

Phillip Hallam-Baker phill at hallambaker.com
Sun Aug 16 13:49:50 EDT 2015


On Sat, Aug 15, 2015 at 2:54 PM, John Gilmore <gnu at toad.com> wrote:

> > Right now we do have a defacto consensus algorithm suite:
> >
> > SHA-2-256
> > HMAC-SHA-2-256
> > AES128 CBC
> > RSA-2048
> > ECDH-256
> >
> > The main problem with this set is the RSA part and in particular key
> > generation which is difficult and painful. The strength is not ideal
> either
> > and RSA really hits diminishing returns above 2048 bits.
>
> This seems like yet another example of Binary RSA Myopia.
>
> If the cost of RSA at 2048 bits is too high, why not use 2016 bits?
> Or 1984 bits?  Or 1600 bits?  Or 1216 bits?  (NSA's 1024-bit RSA-
> cracker won't work on a 1216-bit prime.  It probably won't even work on
> a 1056-bit prime, since myopia has caused fools to 'standardize' on
> 1024-bit keys and now a huge majority of TLS keys are 1024 bits.)
>

Read and respond to what I wrote if you want to accuse others of myopia.
Your eyesight is clearly faulty.

"The strength is not ideal"

RSA2048 is reckoned to present a work factor of 2^112 which falls short of
the 128 we prefer.

To get to 128 bits we need 3072 bits. And even then that is only 128 bits
against the best attack currently known.



"RSA really hits diminishing returns above 2048 bits."

 If we want to get to 2^256 work factor we need to more than double the
number of bits, we need 15360 bits which is ridiculous.



And I'm not sure why you say 'RSA really hits diminishing returns
> above 2048 bits".  Do you mean, using myopia, that you don't think the
> price/performance of 4096 bits is worthwhile?  Then why didn't you say
> so?  My RSA OpenPGP key has 3200 bits and it seems to have no
> difficulties in price/performance or interoperation.
>
>         John
>

The tone of your response suggests that you need to consider the fact that
if someone is saying something that appears to be stupid, you are reading
it wrong rather than the other person wrote something stupid.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150816/b47c4af5/attachment.html>


More information about the cryptography mailing list