[Cryptography] [FORGED] Re: ratcheting DH strengths over time
ianG
iang at iang.org
Tue Nov 17 10:01:14 EST 2015
On 16/11/2015 09:24 am, Bill Cox wrote:
> On Sun, Nov 15, 2015 at 8:18 PM, Tony Arcieri <bascule at gmail.com
> I like the idea of auto-increasing the key sizes. If this were somehow
> block-chain based, difficulty could be a function of solving discrete
> log problems of increasing size. The otherwise wasted CPU cycles in
> mining could be used to work on factoring or solving discrete logs.
If you mean, the client does a work thing and tests how big a key it can
create in say 10s, then that is a metric, but it's pretty loose. The
problem here is that you're measuring your CPU, whereas what we want to
predict is the attacker's work difficulty.
Unless you really mean "blockchain based" and then everyone is fighting
to increase the difficulty. I'm not seeing why that would help. But I
have proposed elsewhere that the PoW function should really be a
function over checking & signing RSA signatures, so we could more
economically use the past-life mining boxes for fast SSL.
> It might be simpler to have everyone use a minimum of 2048 bit keys for
> now for DH and RSA.
Yes - but how do you get the protocol designers to agree to use 2048
only? The point I'm trying to reach is where there is *no user config
required* which means that the protocol designer has to lay it out for
probably 20 years.
iang
More information about the cryptography
mailing list