Scott Fluhrer (sfluhrer) writes: > If the requirement for AES-256 is to handle the scenario "someone > gets a quantum computer", then in that scenario, there is no > realistic DH group size that is secure.
That we do not know until we know what those quantum computers can really do... I have not seen anybody saying how many qbits you need to break MODP-2048. Most of the things I have seen talks about factoring RSA, and even then they do not provide numbers. draft-hoffman-c2pq also says that we might have machines breaking AES-128 before than we have machines that can break Diffie-Hellman, i.e., it is most likely easier to make machine running Grover's algorithm than machine running Shor's algorithm. > Hence, I personally see no point in allocating IANA numbers for the > larger than 8k MODP groups. The only scenario I can think of where > they might be useful would be one where all of the following apply: > > - We believe that there's an adversary that can perform > significantly more than circa 2**128 computations' > - We are not concerned with adversaries with a Quantum Computer > - For some reason, we don't want to use ECDH. Or cases where customer requires your product to include support 256-bits of security level. Perhaps they read from the paper that 128 bits is too little if someone gets quantum computer and thats why 256-bit security is what you need. I.e., there is no real security reason for that, just to be able to tick check box saying "support security level of 256-bits". To provide that you need AES-256, and SHA2-512 for symmetric parts, and then either P-521 or MODP-15360 for Diffie-Hellman. If you do not have ECDH in your implementation it is much easier to add just MODP-16384 in configuration especially as the main reason is to tick that check box. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
