On Mon, 2 Sep 2013 00:06:21 -0400 Jerry Leichter <[email protected]> wrote: > - To let's look at what they want for TOP SECRET. First off, RSA - > accepted for a transition period for SECRET, and then only with > 2048 bit moduli, which until the last year or so were almost > unknown in commercial settings - is completely out for TOP SECRET. > So clearly they're faith in RSA is gone.
That is a misunderstanding. If you look at the way that the NSA specs these things, they try to keep all portions of a system of equal security so none is the weak point. A 2048 bit RSA key is factored vastly more easily than a 256 bit AES key is brute forced (that's just public knowledge -- try doing the back of the envelope yourself) so that size key would be insufficient. However, a sufficiently large RSA key to be "correctly sized" for 256 bit AES is totally impractical for performance reasons, see: http://www.nsa.gov/business/programs/elliptic_curve.shtml So clearly the purpose of pushing ECC for this application is that they want the public key algorithm and its key size to have comparable security while both performing reasonably well. > (Same for DH and DSA.) > It looks as if they are betting that factoring and discrete logs > over the integers aren't as hard as people had thought. Not at all, and the rationale is public and seen above. I believe you're incorrectly claiming that we know much less than we actually do here. Perry -- Perry E. Metzger [email protected] _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
