[Cryptography] [FORGED] Re: ratcheting DH strengths over time
Tony Arcieri
bascule at gmail.com
Mon Nov 16 19:06:29 EST 2015
On Mon, Nov 16, 2015 at 3:24 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> Yes, longer key sizes will resist quantum attacks longer. My
> understanding (which could easily be wrong) is that the difficulty of
> increasing the number of qubits in a machine grows exponentially with the
> number of qubits, which is why I think we'd see ECC keys attacked well
> before longer EC and RDA keys.
>
ianG is suggesting we use 1024-bit D-H in 2015, which is odd as all methods
on http://www.keylength.com/en/compare/ suggest that isn't strong enough.
I don't believe there's a considerable difference in the number of qubits
needed to attack a ~256-bit elliptic curve versus 1024-bit D-H.
> It might be simpler to have everyone use a minimum of 2048 bit keys for
> now for DH and RSA.
>
That would, by far, be a much simpler solution, and sufficient to ward off
non-quantum attacks for at least a decade.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151116/46aab038/attachment.html>
More information about the cryptography
mailing list