Some additional comments on this subject:
1. NIST has published its own table of equivalent strengths of various sizes of keys and other parameters. It's got essentially the same columns as Lenstra's table, but doesn't have a row for every year. Rather, it has rows for different discrete key sizes.
It was published in IEEE Security & Privacy (a periodical) in the March/April 2003 edition, page 48. A PDF file is available to IEEE subscribers, but AFAIK is not available for free on the web.
That table disagrees with Lenstra's table in a number of ways, including: - the pairing of Discrete Log field sizes and key (private value) sizes. - the pairing of symmetric key sizes to DL field sizes.
Here is a small excerpt from NIST's table:
symmetric alg/key hash field size DL private value size ----------------- ------- ---------- --------------------- SkipJack - 80 SHA-1 1024 160 3DES - 112 2048 244 AES - 128 SHA-256 3072 256 AES - 256 SHA-512 15360 512
I point this out only to show that no single table is "gospel" truth.
2. Andrey pointed out that these tables all list, in each row, a single field-sizez value that applies to RSA, DSA and DH. On that basis, he suggests that NSS should employ the same limit for each of those algorithms.
However, the point of the limit imposed by NSS is to bound computation time, and the time taken by these different algorithms for the same key/field sizes are quite different. Therefore, the size limits are not likely to be equal in number of bits allowed, but rather in computational time permitted.
That's why I wrote that the new limit on DH field sizes would be NO MORE than (implying, possibly (much) less than) 2236 bits.
/Nelson _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
