[tor-dev] Subject: Re: The consequences of key compromise (or the reasons for changing)

Markku-Juhani O. Saarinen mjos at reveresecurity.com
Fri Nov 4 07:14:38 UTC 2011

From: Jon Callas <joncallas at me.com>

> People should get off of 80-bit crypto as soon as is reasonably possible. This means RSA 1024, SHA-1, etc. NIST recommended doing this by the end of 2010, but are now holding their nose and saying that 2013 is the real new date.

Absolutely agree. The 80-bit figure was apparently adopted by U.S.
Government some 25+ years ago (skipjack etc).

> This seems basically reasonable to me. No one has yet factored a 768-bit number, let alone a 1K one. 

768-bit RSA was factored in 2009 and the authors of that paper
conjecture that 1024 bits would be factored "within a decade" and
recommend that 1024-bit RSA should be phased out within a couple of
years. http://eprint.iacr.org/2010/006.pdf

I am certainly doing that with the stuff that I am maintaining.

> SHA-1 actually looks safer today than it did in 2005. But still. Moving away is a Good Thing, so long as it doesn't make you do something stupid.

Well, after the 2005 Wang-Yin-Yu paper which had a 2^69 attack, there
was a claimed 2^52 attack in 2009 which turned out to have a flawed cost
evaluation. There has also been talk of a 2^63 attack, but that
difference can be put down to attack implementation skill and detail.

I was always doubtful whether or not those techniques could be expanded
to work against the SHA-2 algorithms. 

It is also funny that many people talk about SHA-2 as if was a single
algorithm; there are actually two quite distinct algorithms, one for
(now fading) 32-bit architectures (SHA-224,SHA-256) and one for 64-bit
algorithms (SHA-384,SHA-512,SHA-512/224,SHA-512/256). The variants of
these two algorithms only differ in the number of output bits and the IV
values and hence have a constant speed regardless of their digest size.
You can run "openssl speed sha" to see a real-world performance
comparison on a particular box.

- markku

Dr. Markku-Juhani O. Saarinen <mjos at reveresecurity.com>

More information about the tor-dev mailing list