[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
ianG
iang at iang.org
Tue Aug 18 11:19:06 EDT 2015
On 17/08/2015 18:56 pm, Viktor Dukhovni wrote:
> On Mon, Aug 17, 2015 at 07:59:26AM -0700, Ray Dillinger wrote:
>
>>> "RSA really hits diminishing returns above 2048 bits."
>>>
>>> If we want to get to 2^256 work factor we need to more than double the
>>> number of bits, we need 15360 bits which is ridiculous.
>>
>> I don't believe it's ridiculous. I mean, yes, large, but still under
>> 2k. We already had keys of such a length that nobody was going to
>> enter them by hand, and 2k is near-epsilon with regard to today's
>> protocols.
>>
>> It probably lets the bottom tier devices have a decent excuse not to
>> implement it, but other than that it's fine.
>
> The performance cost is ridiculous:
>
> sign verify sign/s verify/s
> rsa 1024 bits 0.000467s 0.000022s 2143.0 44570.3
> rsa 2048 bits 0.002530s 0.000074s 395.3 13592.8
> rsa 4096 bits 0.014179s 0.000198s 70.5 5047.2
>
> What sort of numbers do you expect for RSA at 15k bits? I would
> conjecture around 2 signatures per second, and thus entirely
> unsuitable for key agreement. Perhaps still usable for verifying
> certificate signatures, but with enough such certificates in a
> chain, the chain will exceed TLS message size limits.
NSA is now pushing the notion that quantum vulnerable algorithms are to
be avoided [0] [1].
fwiw, my understanding is in responding to quantum, we prefer large RSA
in the medium term (8k?) and switch to NTRU [2] in the longer term. We
avoid ECC.
> For the record I don't see a compelling difference between a 112-bit
> work-factor and a 128-bit work-factor, provided the estimates hold
> up reasonably well. Also it seems that memory requirement for the
> matrix stage of GNFS for large moduli are quite prohibitive. Are
> the work-factor estimates for large RSA moduli too conservative?
Right, dial down to 128 level. Or, we go to second order risk analysis
-- who is our likely attacker, and is he likely to have quantum attack?
For most people most of the time, NSA isn't our attacker, so maybe we
accept this risk.
Problem is, once the NSA has shifted in this direction, NIST comes out
with standards for USG. Then, people who don't do their own security
risk analysis copy NIST and the sheep move to protecting whatever it is
that NSA was worried about.
iang
[0] I posted this hint last week
http://www.metzdowd.com/pipermail/cryptography/2015-August/026287.html
[1] John Young posted this hint too:
http://www.metzdowd.com/pipermail/cryptography/2015-August/026303.html
CNSS Advisory Memo on Use of Public Standards for Secure Sharing of
Information Among NatSec Systems 08/11/15
This Advisory expands on the guidance contained in CNSS Policy No. 15,
National Information Assurance Policy on the Use of Public Standards for
the Secure Sharing of Information Among National Security Systems
(Reference a). Based on analysis of the effect of quantum computing on
Information Assurance (IA) and IA-enabled Information Technology (IT)
products, the policy’s set of authorized algorithms is expanded to
provide vendors and IT users more near-term flexibility in meeting their
IA interoperability requirements. The purpose behind this additional
flexibility is to avoid vendors and customers making two major
transitions in a relatively short timeframe, as we anticipate a need *to
shift to quantum-resistant cryptography in the near future*.
[2] NTRU: https://en.wikipedia.org/wiki/NTRU
More information about the cryptography
mailing list