[18660] in cryptography@c2.net mail archive
Re: NSA Suite B Cryptography
daemon@ATHENA.MIT.EDU (Alexander Klimov)
Fri Oct 14 16:07:36 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 14 Oct 2005 21:28:51 +0200 (IST)
From: Alexander Klimov <alserkli@inbox.ru>
To: cryptography@metzdowd.com
In-Reply-To: <20051014171910.D66733BFD37@berkshire.machshav.com>
On Fri, 14 Oct 2005, Steven M. Bellovin wrote:
> Precisely. NSA's actions here are independent of whether or not they
> like open source software on other criteria. They've determined that
> ECC presents a better cost-benefit tradeoff. We all understand, I
> think, why they're not enamored with 1024-bit RSA. Doubling the key
> size means a ~8x performance hit for the signer and 4x for the
> verifier; they need to worry about embedded devices such as secure
> phones, sensors, and things like smart landmines.
I guess that for common people there is no real problem with RSA in
next twenty years:
* according to NIST [1] RSA-1024 is OK through 2010 and RSA-2048 is
OK through 2030;
* even now it takes only about 30 ms for an RSA-2048 decryption /
signing on a PC [2] and the performance of mobiles is in the same
range (~100 ms) due to dedicated coprocessors;
* in most modern applications 256 bytes is not an issue.
Unfortunately, for Top Secret traffic they need 192-bit security that
is RSA-7680 [1] and so they want ECC *right now*.
[1] Recommendation for Key Management -- Part 1: General
NIST Special Publication 800-57
http://csrc.nist.gov/CryptoToolkit/kms/SP800-57Part1August2005.pdf
[2] Crypto++ 5.2.1 Benchmarks
http://www.eskimo.com/~weidai/benchmarks.html
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
