David Shaw wrote:
On Sun, Mar 26, 2006 at 10:02:18AM -0800, "Hal Finney" wrote:
It's always a tricky question, how much we should try to enforce
security standards in a data-format document. We do put minimum length
restrictions on the moduli to try to protect users against making one
kind of mistake, using a too-short key. In the same way, I don't think
we should allow them to use a 160-bit q for a 3072-bit p. This is the
spirit behind my suggestion to just allow the NIST sizes.
I think we more or less agree on this. My only sticking point is the
idea of allowing people to do something other than the NIST sizes.
How about we make the NIST sizes a SHOULD (like the minimum length
restrictions are SHOULD NOTs), and add a sentence after that to read
something like "Caution should be taken when deviating from the above
parameters which were carefully chosen to balance the strength of the
hash with the strength of the key." ?
That would seem to be the best of all worlds: we strongly advise
people to use the NIST sizes, tell them why we want them to use the
NIST sizes, but don't lock them down.
The question is more whether a receiving implementation
should / may read non-preferred sizes. My inclination
is to reduce them wherever possible. I've yet to see a
real case where it has been useful to have non-standard
sizes, and I've seen many cases where incompatibilities
have sprung from overly broad readings of what was allowed.
There's also no need for the standard to say this at all.
If there was a need for a variant, then the various
implementations can try it out and implement it as a non-
standard variant.
I would vote for just allowing a subset of the NIST sizes.
That is, something like an implementation MUST accept the
NIST set, and SHOULD reject all others. If a need for a
variant comes up, the developers have to battle it out and
justify going up against the SHOULD. If there is a clear
need, then they'll work it out.
iang
PS: was it Bernstein who said, be precise in what you
output, and be precise in what you accept for input?