Ilari Liusvaara <ilari.liusva...@elisanet.fi> writes: >Furthermore, comparing the strengths of kex, auth, ciphering and PRF seems >like comparing apples, orangles, pears and kumquants. > >Even if the nominal strengths are the same, the scaling of strengths is going >to be different (e.g. the quadric vs. linear sub-treshold scaling for ECDH vs. >symmetric).
+1. It's just more numerology: (In case you're wondering why you shouldn't go straight to 2048 bits, this is another piece of cryptographic numerology that arises from the confusing idea of algorithm pairings, that every conventional encryption algorithm or key size has to be somehow matched up to a public-key algorithm key size. Since conventional encryption algorithms generally have the property that every single bit added to the key doubles the work factor needed to break it by brute force while public-key algorithms don't, this means that attempts to pair conventional-encryption with public-key sizes leads to insanely large public keys as the conventional-encryption key sizes get larger. Using any known technology it's unlikely that humans can ever get beyond about 2^^100 operations, which means that common key sizes of 112 bits (triple DES), 128 bits (AES), 192 bits (AES again), and 256 bits (yet more AES, because you can never have too many key sizes) are all equally unbreakable, and yet the desire for algorithm pairing means that we're supposed to go to public-key sizes of 2048, 3072, 7680, and 15,360 bits respectively for all of these equally-unbreakable conventional key sizes ["Recommendations for Key Management --- Part 1: General", Elaine Barker, William Barker, William Burr, William Polk and Miles Smid, NIST Special Publication 800-57, 9 July 2012]. This is a good example of the strange places that cryptographic numerology can lead you if you believe in it too fervently). So really the table of key sizes should be: Conventional RSA/DH --------------- ------ 100 bits 1536 bits 112 (ie. > 100) 1536 bits 128 (ie. > 100) 1536 bits 192 (ie. > 100) 1536 bits 256 (ie. > 100) 1536 bits Anything > 100 1536 bits Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
