Mark Tillotson (markt@harlequin.co.uk)
Wed, 28 Oct 1998 15:36:34 GMT
| > Personally since we all use crypto, we should choose a threat model
| > that few would ever question as being too soft.
| But this game has no end. Why choose 1 in 10^12 as your stopping point?
| What about an intelligence agency willing to spend it's entire
| budget to read YOUR email with a 1 in 10^15 probability? That gives
| us another 15 bits of keylength. Or aliens?
The game ends when or before the chances of that comet destroying all
human life dominate!!
Also remember that viable quantum computation may force key lengths to
be doubled. It is interesting that AES specifies 128/192/256 bit
keysizes as requirements?!
| Look, having your crypto unbroken isn't an end in itself. It's
| to keep your traffic protected. Once you get to people willing
| to have an expectation value of $10^18 in order to read YOUR
| traffic, they've got far easier approaches available to them.
Exactly - the point _is_ to force them to use other means!
| Funny that you've omitted the section where they actually name a number:
| "Bearing in mind tahat the additional computational costs of stronger
| encryption are modest, we strongly recommend a minimum key-length
| of 90 bits for symmetric encryption."
This is a _minimum_ for a threat model of only 20 years lifespan.
You originally suggested that 80 bits was too many.
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:22