Eric Rescorla (ekr@rtfm.com)
Wed, 28 Oct 1998 07:46:16 -0800
> Also remember that viable quantum computation may force key lengths to
> be doubled. It is interesting that AES specifies 128/192/256 bit
> keysizes as requirements?!
> | Look, having your crypto unbroken isn't an end in itself. It's
> | to keep your traffic protected. Once you get to people willing
> | to have an expectation value of $10^18 in order to read YOUR
> | traffic, they've got far easier approaches available to them.
>
> Exactly - the point _is_ to force them to use other means!
Which is easily done when the expectation value of a key is
in the 10^9 range. 10^18 is overkill by 9 orders of
magnitude.
> | Funny that you've omitted the section where they actually name a number:
> | "Bearing in mind tahat the additional computational costs of stronger
> | encryption are modest, we strongly recommend a minimum key-length
> | of 90 bits for symmetric encryption."
>
> This is a _minimum_ for a threat model of only 20 years lifespan.
Correct. I said that 80 bits would do the job for 10. Since Moore's
law is a bit every 1.5 years, these two figures are in agreement.
> You originally suggested that 80 bits was too many.
No, I suggested that 80 bits would do the job. I stand
by that.
-Ekr
[Eric Rescorla ekr@rtfm.com]
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:22