On Tue, Sep 28, 1999 at 03:29:18PM -0700, Mixmaster wrote:
> There's a thread on one of the other lists about DH security where several
> people have said that 1024 bit DH has a strength of about 80 bits. But in
> SSL3 1024 bit ephemeral DH is used to protect the keys for 168 bit 3DES
> (EDH-RSA-DES-CBC3-SHA and EDH-DSS-DES-CBC3-SHA ciphers).
>
> Are those ciphers really that far out of balance?
The word "bits" must be taken with a grain of salt here; those
comparisons are really valid only when you look at them
asymptotically and not at specific bit lengths.
Attacks against 1024 bit DH by computing discrete logarithms (using
the best algorithms known today) in any subgroup are not harder than
the specific case where a subgroup with on the order of maybe 2^165
elements is used, where the attacker can use generic algorithms which
do not use any specific properties of that group. (See some paper by
Wiener for a table giving subgroup sizes for various modulus lengths.)
Because of this, you don't have to use strong primes (where (p-1)/2 is
prime too) for DH, except possibly to avoid small subgroup attacks
(see Lim/Lee) -- it's enough to have a prime q of reasonable size that
divides p-1 (the "subprime") and work in the subgroup of q elements,
i.e. use DSA-style parameters (which saves quite some time when doing
DH computations, which is why I recently added a DSA_dup_DH function
to OpenSSL that turns DSA parameters into DH parameters).
The run-time of generic algorithms for discrete logs is about the
square root of the element number, i.e. about 2^80; that's where the
80 bits figure comes from. But there's much more to do in each of
these 2^80 steps than when brute-forcing a cipher such as 3DES; and
also memory requirements are much higher (you need virtually no memory
for a block-cipher key search). Also note that three-key 3DES does
not really have 168 bits of strength -- with suitable algorithms
(again with huge memory requirements) it is only about as strong as
two-key tripe DES.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
