[146534] in cryptography@c2.net mail archive
Re: [Cryptography] NSA and cryptanalysis
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Tue Sep 3 12:31:16 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <3DDA4D70-AF03-46F6-84A2-CA933DF81DC4@callas.org>
Date: Tue, 3 Sep 2013 11:13:04 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Jon Callas <jon@callas.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Jack Lloyd <lloyd@randombit.net>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============9136894116217126378==
Content-Type: multipart/alternative; boundary=089e01228148282a4e04e57c20ef
--089e01228148282a4e04e57c20ef
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Sep 3, 2013 at 12:49 AM, Jon Callas <jon@callas.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Sep 2, 2013, at 3:06 PM, "Jack Lloyd" <lloyd@randombit.net> wrote:
>
> > On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:
> >
> >> a) The very reference you give says that to be equivalent to 128
> >> bits symmetric, you'd need a 3072 bit RSA key - but they require a
> >> 2048 bit key. And the same reference says that to be equivalent to
> >> 256 bits symmetric, you need a 521 bit ECC key - and yet they
> >> recommend 384 bits. So, no, even by that page, they are not
> >> recommending "equivalent" key sizes - and in fact the page says just
> >> that.
> >
> > Suite B is specified for 128 and 192 bit security levels, with the 192
> > bit level using ECC-384, SHA-384, and AES-256. So it seems like if
> > there is a hint to be drawn from the Suite B params, it's about
> > AES-192.
> >
>
> The real issue is that the P-521 curve has IP against it, so if you want
> to use freely usable curves, you're stuck with P-256 and P-384 until some
> more patents expire. That's more of it than 192 bit security. We can hold
> our noses and use P-384 and AES-256 for a while.
>
> Jon
>
What is the state of prior art for the P-384? When was it first published?
Given that RIM is trying to sell itself right now and the patents are the
only asset worth having, I don't have good feelings on this. Well apart
from the business opportunities for expert witnesses specializing in crypto.
The problem is that to make the market move we need everyone to decide to
go in the same direction. So even though my employer can afford a license,
there is no commercial value to that license unless everyone else has
access.
Do we have an ECC curve that is (1) secure and (2) has a written
description prior to 1 Sept 1993?
Due to submarine patent potential, even that is not necessarily enough but
it would be a start.
--
Website: http://hallambaker.com/
--089e01228148282a4e04e57c20ef
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Tue, Sep 3, 2013 at 12:49 AM, Jon Callas <span dir=3D"ltr"><<=
a href=3D"mailto:jon@callas.org" target=3D"_blank">jon@callas.org</a>></=
span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div class=3D"im"><br>
<br>
On Sep 2, 2013, at 3:06 PM, "Jack Lloyd" <<a href=3D"mailto:ll=
oyd@randombit.net">lloyd@randombit.net</a>> wrote:<br>
<br>
> On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:<br>
><br>
>> a) The very reference you give says that to be equivalent to 128<b=
r>
>> bits symmetric, you'd need a 3072 bit RSA key - but they requi=
re a<br>
>> 2048 bit key. =A0And the same reference says that to be equivalent=
to<br>
>> 256 bits symmetric, you need a 521 bit ECC key - and yet they<br>
>> recommend 384 bits. =A0So, no, even by that page, they are not<br>
>> recommending "equivalent" key sizes - and in fact the pa=
ge says just<br>
>> that.<br>
><br>
> Suite B is specified for 128 and 192 bit security levels, with the 192=
<br>
> bit level using ECC-384, SHA-384, and AES-256. So it seems like if<br>
> there is a hint to be drawn from the Suite B params, it's about<br=
>
> AES-192.<br>
><br>
<br>
</div>The real issue is that the P-521 curve has IP against it, so if you w=
ant to use freely usable curves, you're stuck with P-256 and P-384 unti=
l some more patents expire. That's more of it than 192 bit security. We=
can hold our noses and use P-384 and AES-256 for a while.<br>
<br>
=A0 =A0 =A0 =A0 Jon<br></blockquote><div><br></div><div>What is the state o=
f prior art for the P-384? When was it first published?</div><div><br></div=
><div>Given that RIM is trying to sell itself right now and the patents are=
the only asset worth having, I don't have good feelings on this. Well =
apart from the business opportunities for expert witnesses specializing in =
crypto.</div>
<div><br></div><div>The problem is that to make the market move we need eve=
ryone to decide to go in the same direction. So even though my employer can=
afford a license, there is no commercial value to that license unless ever=
yone else has access.</div>
<div><br></div><div><br></div><div>Do we have an ECC curve that is (1) secu=
re and (2) has a written description prior to 1 Sept 1993?</div><div><br></=
div><div>Due to submarine patent potential, even that is not necessarily en=
ough but it would be a start.</div>
<div>=A0</div></div><div><br></div>-- <br>Website: <a href=3D"http://hallam=
baker.com/">http://hallambaker.com/</a><br>
</div></div>
--089e01228148282a4e04e57c20ef--
--===============9136894116217126378==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============9136894116217126378==--
