EKR (ekr@rtfm.com)
26 Oct 1998 18:32:04 -0800
Anonymous <nobody@replay.com> writes:
> > 2) Is 160 bits sufficient for y?
>
> No -- although I don't know much about the difficulty of the DLP with
> various parameters, I do know the KEA spec uses 160 bits to (allegedly)
> force 2^80 operations upon attackers, not enough to keep your kid sister
> out.
While it's true that 80 bits probably isn't strong enough to protect
secrets that have long (10 plus years) lifetimes, claiming that it's
not strong enough to keep your kid sister out is ridiculous.
Thanks to the EFF DES cracking effort we've got a real good idea for
a lower bound on how strong 80 bits is.[1] A 56 bit machine costs
order $250K (let's assume $100K since the design effort is already
done) and can crack a 56 bit key in 3 days. Such a machine could
crack an 80 bit key in, oh, 100,000 years. So, let's say we were
willing to put 100 million into it, then we'd be able to get
it in 100 years. I don't know about you, but my kid sister
doesn't have that kind of pocket change floating around.
Now, in 10 years, a machine built for the same price will be
able to do the job in a year or so. Then we'll have something
to worry about.
-Ekr
[1] Yes, I know I'm assuming that the basic operation here is
no faster than a trial DES key. However, I believe this is a
fairly safe assumption.
-- [Eric Rescorla ekr@rtfm.com]
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:22