John said:
In 2.2, 2nd paragraph, suggest changing "...m MUST be >=160" -> "...m MUST
be >= 160 bits in length". Later in the paragraph, is 160 bits intended as
the appropriate minimum length for p? (Note, by comparison, that X9.42
requires a multiple of 256 bits with a minimum of 512.)
Then Eric replied:
I'd prefer 160. 512 seems like overkill, and has unpleasant performance
tradeoffs.
I do not have a problem allowing people to have 512-bit private keys. The
performance impact is imposed on themselves. I also think that we should
permit 160-bit private keys for those people that belive 80-bit security is
useful.
In summary, I think that we should allow private keys to be between 160 and
512 bits.
Russ