DH Group Exchange Fallback
Joseph S Testa II
jtesta at positronsecurity.com
Wed Sep 27 01:50:44 AEST 2017
On 09/25/2017 01:54 AM, Mark D. Baushke wrote:
> With the group18 8192-bit MODP prime, we are getting just under 192-bits
> of security... depending on how you calculate it.
>
> (I think I read somewhere that, going to 16384 (2^14) will get us to
> approximately 229-bits of security and 32768 (2^15) will get us to
> almost 267-bits of security, but I am unable to find the reference right
> now.... sigh.)
According to NIST Special Publication 800-57, Part 1, Revision 4, p. 53,
(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf),
a 7680-bit modulus is estimated to provide 192 bits of security. Hence,
a 8192-bit modulus would provide a little over 192.
It also estimates that 256-bits of security is achieved with 15360-bit
moduli.
- Joe
More information about the openssh-unix-dev
mailing list