[tor-dev] Discussion on the crypto migration plan of the identity keys of Hidden Services

Nick Mathewson nickm at torproject.org
Fri May 17 16:38:07 UTC 2013

On May 17, 2013 11:29 AM, "David Vorick" <david.vorick at gmail.com> wrote:
> Why are so many bits necessary? Isn't 128bits technically safe against
brute force? At 256 bits you are pretty much safe from any volume of
computational power that one could fathom within this century.

It sounds like you might be mixing up public key and symmetric ciphers.
128 bits is indeed fine for a symmetric cipher, though if you think quantum
computing is around the corner you want 256.

But for public key ciphers, you're not worried about brute force searches:
you're worried about factoring (for RSA-based stuff) or about discrete
logarithms (for DH-based stuff including ElGamal, DSA, etc etc etc).
Opinions differ on adequate key length, but may folks think that 2048-3072
bits is about right for RSA or for DH in Z_p*, whereas 192-256 bits is
about right for DH in elliptic curve groups. Some conservative folks want
more bits; some brave folks want fewer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130517/aefb6724/attachment.html>

More information about the tor-dev mailing list