On Thu, 11 Oct 2007 21:50:06 -0700 Bill Stewart <[EMAIL PROTECTED]> wrote:
> > > > | Which is by the way exactly the case with SecureIM. How > > > | hard is it to brute-force 128-bit DH ? My "guesstimate" > > > | is it's an order of minutes or even seconds, depending > > > | on CPU resources. > > Sun's "Secure NFS" product from the 1980s had 192-bit Diffie-Hellman, > and a comment in one of the O'Reilly NFS books says that > "However, by 1990, advances in RISC processors produced > workstation machines that could, by brute force, > derive the private key from any public key in under a day." > but that in 1987 there were still a lot of Motorola 68010 machines > that took several minutes to generate keys so they didn't want it > longer. I'm guessing that a 1990 RISC machine was around 50 MIPS, > so it's maybe 1/100 the speed of a modern single-core CPU. > > 128-bit DH sounds like as good a decision as using 40-bit RC4 keys > would be today. > It wasn't just brute force, it was math. @Article{ nfscrack, author = {Brian A. LaMacchia and Andrew M. Odlyzko}, journal = {Designs, Codes, and Cryptography}, pages = {46--62}, title = {Computation of Discrete Logarithms in Prime Fields}, volume = {1}, year = {1991}, annote = {Describes how the authors cryptanalyzed Secure RPC.} } --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]