[Cryptography] ratcheting DH strengths over time
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Nov 20 18:16:12 EST 2015
Jon McEnroe [jon at callas.org] writes:
>WHAT THE HELL IS WRONG WITH YOU PEOPLE? NIST ***TOLD*** ***YOU*** TO GET OFF
>THIS STUFF A DOZEN YEARS AGO!
The problem is that NIST make endless numbers of random recommendations, many
of which seem to be based on little more than numerology. Cherry-picking one
of the many and saying "I toldja so" well after the event is easy enough when
you've got dozens of them to pick and choose from.
I could just as easily have said:
WHAT THE HELL IS WRONG WITH YOU PEOPLE? NIST^H^H^H^HHANS DOBBERTIN ***TOLD***
***YOU*** TO GET OFF THIS STUFF A DOZEN^H^H^H^H^H^H^HTWENTY YEARS AGO!
(I'm talking about RIPEMD-160 here, a drop-in replacement for SHA-1 that
hasn't succumbed to the SHA-1 attacks).
WHAT THE HELL IS WRONG WITH YOU PEOPLE? NIST^H^H^H^HFAPSI ***TOLD*** ***YOU***
TO GET OFF THIS STUFF A DOZEN^H^H^H^H^H^H^HMORE THAN TWENTY YEARS AGO!
(This time it's GOST GOST R 34.11-94, there's a 2^105 attack on it but that's
still a lot better than SHA-1's innate 2^80 collision security).
WHAT THE HELL IS WRONG WITH YOU PEOPLE? THAT BALL WAS ON THE LINE. CHALK
FLEW UP! HOW CAN YOU POSSIBLY CALL THAT OUT?! YOU CANNOT BE SERIOUS!
(Sorry, wrong thread).
>What does it actually take to stop talking and do something? Come on, if we
>can't move off of 80 bit crypto for a dozen years after a warning from NIST
>we're going to do a ratchet? Really? I mean REALLY?
Horses for courses. A lot of the stuff out there doesn't have intelligence
agencies as attackers (and if they really want to get in, they'll get in no
matter what you do anyway). For an awful lot of where my stuff gets used,
SHA-1 and 1024-bit keys are just fine for the foreseeable future (when I say
"a lot" I mean "probably the majority", but then I'd have to enumerate all the
uses to figure out what the real ratio is). Heck, 512-bit keys are fine for
many applications, because it's only being used to keep out nosy people and
nuisance-level attacks.
Providing a gradual upgrade path for these situations has a far greater chance
of success than setting some unachievable (with the current hardware/software)
goal that signals to people that it's safe to ignore because it's so
unrealistic.
Peter.
More information about the cryptography
mailing list