I would like to share what Hugo Krawczyk,
one of IBM's cryptographers has shared with me.
<<
The 256-strength suite is
total overkill.
There is no need to use AES
with 256-bit key today or SHA-512.
Of course, the 128-bit suite
may be broken next month (or in 5 years) but the same is possible
for the 256-bit suite. Actually,
who said 500-bit EC will not turn out to have only 128 bit of security
in a
breakthrough cryptanalysis
in 5-10 years (or next month)?
Given the information we
have today, the 128-bit suite is good enough for almost all commercial
applications.
If you need security of your
data for the next 50 years you may consider going to a stronger suite,
but then
(again) who said that the
256-bit will suffice? (for 50 year security I recommend sending it inside
a physical safe :)
The only reason I see now
for going for a 256-bit suite is to promote ECC.
That may or may not be a
good idea, but it should be clear that that's the only relevant reason
for this suite.
Hugo
>>
Thanks,
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt@us.ibm.com
http://www-03.ibm.com/servers/storage/
Ralph Weber <roweber@IEEE.org> Sent by: owner-t10@t10.org
09/12/2007 07:25 PM
To
"'t10@t10.org'" <t10@t10.org>
cc
Subject
256-bit vs 512-bit strength security
* From the T10 Reflector (t10@t10.org), posted by:
* Ralph Weber <roweber@ieee.org>
*
Reminder:
On Wednesday afternoon in Vancouver, you will be asked
to vote your company's position on a choice between
mandating 256-bit strength security or 512-bit strength
security in SPC-4.
If you do not yet know your company's position,
now would be a good time to start asking some
embarrassing questions.
All the best,
.Ralph
*
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo@t10.org