[146531] in cryptography@c2.net mail archive
Re: [Cryptography] NSA and cryptanalysis
daemon@ATHENA.MIT.EDU (Jon Callas)
Tue Sep 3 00:54:40 2013
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <20130902220604.GA5498@randombit.net>
Date: Mon, 2 Sep 2013 21:49:29 -0700
To: "Jack Lloyd" <lloyd@randombit.net>
Cc: cryptography@metzdowd.com, Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 2, 2013, at 3:06 PM, "Jack Lloyd" <lloyd@randombit.net> wrote:
> On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:
>
>> a) The very reference you give says that to be equivalent to 128
>> bits symmetric, you'd need a 3072 bit RSA key - but they require a
>> 2048 bit key. And the same reference says that to be equivalent to
>> 256 bits symmetric, you need a 521 bit ECC key - and yet they
>> recommend 384 bits. So, no, even by that page, they are not
>> recommending "equivalent" key sizes - and in fact the page says just
>> that.
>
> Suite B is specified for 128 and 192 bit security levels, with the 192
> bit level using ECC-384, SHA-384, and AES-256. So it seems like if
> there is a hint to be drawn from the Suite B params, it's about
> AES-192.
>
The real issue is that the P-521 curve has IP against it, so if you want to use freely usable curves, you're stuck with P-256 and P-384 until some more patents expire. That's more of it than 192 bit security. We can hold our noses and use P-384 and AES-256 for a while.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSJWpasTedWZOD3gYRAjMtAKD/W9IPWtI8qwpP7w0v1aX9BgrwHACeMsRl
594r4LFPCTsIA9+xBUk4/5Q=
=RGYR
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
