On Mon, 2 Sep 2013 00:06:21 -0400 Jerry Leichter <leich...@lrw.com>
> - To let's look at what they want for TOP SECRET.  First off, RSA -
> accepted for a transition period for SECRET, and then only with
> 2048 bit moduli, which until the last year or so were almost
> unknown in commercial settings - is completely out for TOP SECRET.
> So clearly they're faith in RSA is gone.

That is a misunderstanding.

If you look at the way that the NSA specs these things, they try to
keep all portions of a system of equal security so none is the weak
point. A 2048 bit RSA key is factored vastly more easily than a 256
bit AES key is brute forced (that's just public knowledge -- try doing
the back of the envelope yourself) so that size key would be
insufficient. However, a sufficiently large RSA key to be "correctly
sized" for 256 bit AES is totally impractical for performance reasons,


So clearly the purpose of pushing ECC for this application is that
they want the public key algorithm and its key size to have comparable
security while both performing reasonably well.

> (Same for DH and DSA.)
> It looks as if they are betting that factoring and discrete logs
> over the integers aren't as hard as people had thought.

Not at all, and the rationale is public and seen above.

I believe you're incorrectly claiming that we know much less than we
actually do here.

Perry E. Metzger                pe...@piermont.com
The cryptography mailing list

Reply via email to