On Tue, Sep 3, 2013 at 12:49 AM, Jon Callas <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Sep 2, 2013, at 3:06 PM, "Jack Lloyd" <[email protected]> wrote: > > > On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: > > > >> a) The very reference you give says that to be equivalent to 128 > >> bits symmetric, you'd need a 3072 bit RSA key - but they require a > >> 2048 bit key. And the same reference says that to be equivalent to > >> 256 bits symmetric, you need a 521 bit ECC key - and yet they > >> recommend 384 bits. So, no, even by that page, they are not > >> recommending "equivalent" key sizes - and in fact the page says just > >> that. > > > > Suite B is specified for 128 and 192 bit security levels, with the 192 > > bit level using ECC-384, SHA-384, and AES-256. So it seems like if > > there is a hint to be drawn from the Suite B params, it's about > > AES-192. > > > > The real issue is that the P-521 curve has IP against it, so if you want > to use freely usable curves, you're stuck with P-256 and P-384 until some > more patents expire. That's more of it than 192 bit security. We can hold > our noses and use P-384 and AES-256 for a while. > > Jon >
What is the state of prior art for the P-384? When was it first published? Given that RIM is trying to sell itself right now and the patents are the only asset worth having, I don't have good feelings on this. Well apart from the business opportunities for expert witnesses specializing in crypto. The problem is that to make the market move we need everyone to decide to go in the same direction. So even though my employer can afford a license, there is no commercial value to that license unless everyone else has access. Do we have an ECC curve that is (1) secure and (2) has a written description prior to 1 Sept 1993? Due to submarine patent potential, even that is not necessarily enough but it would be a start. -- Website: http://hallambaker.com/
_______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
