[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Phillip Hallam-Baker
phill at hallambaker.com
Tue Aug 18 08:20:24 EDT 2015
On Mon, Aug 17, 2015 at 10:59 AM, Ray Dillinger <bear at sonic.net> wrote:
>
>
> On 08/16/2015 10:49 AM, Phillip Hallam-Baker wrote:
>
> > RSA2048 is reckoned to present a work factor of 2^112 which falls short
> of
> > the 128 we prefer.
> >
> > To get to 128 bits we need 3072 bits. And even then that is only 128 bits
> > against the best attack currently known.
> >
> >
> >
> > "RSA really hits diminishing returns above 2048 bits."
> >
> > If we want to get to 2^256 work factor we need to more than double the
> > number of bits, we need 15360 bits which is ridiculous.
>
> I don't believe it's ridiculous. I mean, yes, large, but still under
> 2k. We already had keys of such a length that nobody was going to
> enter them by hand, and 2k is near-epsilon with regard to today's
> protocols.
>
> It probably lets the bottom tier devices have a decent excuse not to
> implement it, but other than that it's fine.
>
Speed is not fine and many of the libraries don't support RSA keysizes
above 4096 bits.
What I originally said was that RSA hits diminishing returns and the math
completely justifies that statement. There certainly wasn't any reason for
the type of response I got from Gilmore. It is not clear to me what 'Binary
RSA Myopia' might be or why it would be appropriate to use such language.
People are going to be using RSA for a very long time. It is not exactly
broken but there are very good reasons that people are using it at 2048
bits rather than 4096 and the industry is looking for ECC based schemes
rather than even larger keys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150818/515834f3/attachment.html>
More information about the cryptography
mailing list