[147465] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Oct 2 11:08:02 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAEqjXi=6DkJJ+6YRxW6_ByP553QKSS94eJK82kDC_UXkoZVTAw@mail.gmail.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Wed, 2 Oct 2013 10:59:24 -0400
To: Paul Crowley <paul@ciphergoth.org>
Cc: cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============8647772689172767319==
Content-Type: multipart/alternative;
boundary=Apple-Mail-C7D852C5-1B99-495E-97DC-82243FB8305B
Content-Transfer-Encoding: 7bit
--Apple-Mail-C7D852C5-1B99-495E-97DC-82243FB8305B
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Oct 2, 2013, at 9:54 AM, Paul Crowley <paul@ciphergoth.org> wrote:
> On 30 September 2013 23:35, John Kelsey <crypto.jmk@gmail.com> wrote:
>> If there is a weak curve class of greater than about 2^{80} that NSA knew=
about 15 years ago and were sure nobody were ever going to find that weak c=
urve class and exploit it to break classified communications protected by it=
, then they could have generated 2^{80} or so seeds to hit that weak curve c=
lass.
>=20
> If the NSA's attack involves generating some sort of collision between a c=
urve and something else over a 160-bit space, they wouldn't have to be worri=
ed that someone else would find and attack that "weak curve class" with less=
than 2^160 work.
I don't know enough about elliptic curves to have an intelligent opinion on w=
hether this is possible. Has anyone worked out a way to do this? =20
The big question is how much work would have had to be done. If you're talk=
ing about a birthday collision on the curve parameters, is that a collision o=
n a 160 bit value, or on a 224 or 256 or 384 or 512 bit value? I can believ=
e NSA doing a 2^{80} search 15 years ago, but I think it would have had to b=
e a top priority. There is no way they were doing 2^{112} searches 15 years=
ago, as far as I can see.
--John=
--Apple-Mail-C7D852C5-1B99-495E-97DC-82243FB8305B
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: 7bit
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>On Oct 2, 2013, at 9:54 AM, Paul Crowley <<a href="mailto:paul@ciphergoth.org">paul@ciphergoth.org</a>> wrote:</div><div><br></div><blockquote type="cite"><div><div dir="ltr">On 30 September 2013 23:35, John Kelsey <span dir="ltr"><<a href="mailto:crypto.jmk@gmail.com" target="_blank">crypto.jmk@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">If there is a weak curve class of greater than about 2^{80} that NSA knew about 15 years ago and were sure nobody were ever going to find that weak curve class and exploit it to break classified communications protected by it, then they could have generated 2^{80} or so seeds to hit that weak curve class.<br>
</blockquote><div><br></div><div>If the NSA's attack involves generating some sort of collision between a curve and something else over a 160-bit space, they wouldn't have to be worried that someone else would find and attack that "weak curve class" with less than 2^160 work.</div>
</div></div></div>
</div></blockquote><br><div>I don't know enough about elliptic curves to have an intelligent opinion on whether this is possible. Has anyone worked out a way to do this? </div><div><br></div><div>The big question is how much work would have had to be done. If you're talking about a birthday collision on the curve parameters, is that a collision on a 160 bit value, or on a 224 or 256 or 384 or 512 bit value? I can believe NSA doing a 2^{80} search 15 years ago, but I think it would have had to be a top priority. There is no way they were doing 2^{112} searches 15 years ago, as far as I can see.</div><div><br></div><div>--John</div></body></html>
--Apple-Mail-C7D852C5-1B99-495E-97DC-82243FB8305B--
--===============8647772689172767319==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============8647772689172767319==--
