[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of key derivation thread
On Tue, 10 Dec 2002, Russ Housley wrote:
> Hugo:
>
> Thanks for the clarifications. More on my second question.
>
> > > Question 2: Based on the NIST key management recommendations, a 80
> > bits of
> > > security is adequate for protecting sensitive government information until
> > > 2015, and 112 bits of security is adequate until 2030. Which of these
> > > targets is the mandatory-to-implement aiming at? Or, are we after
> > > something in the middle, say 96 bits?
> >
> >I do not know what the "market answer" to this is.
> >But even if you take the "NIST minimum" of 80, you need to go for
> >a modulus longer than 1024, probably 1200 bits (Hilarie may have precise
> >estimates). For 96 bits you already need to exceed the 2048-bit keys.
>
> The NIST key management guidance indicates that 1024-bit Diffie-Hellman and
> 1024-bit RSA provide 80 bits of security. Are you suggesting that this
> guidance is way off?
>
> Russ
>
>
I have never computed these things myself. However, according to
Hilarie's draft on PK sizes it takes 2^80 operations to break a 1195-bit
modulus (using NFS), and Lenstra and Veheul estimate the cost of breaking
a 1024-bit group to be 2^72 operations.
Hugo