Yegor Ievlev <koops1997@xxxxxxxxx> writes: > I referred to the fact that there is no value for 4096-bit groups at > all. For higher strengths than 128 bits one should probably not use > non-EC crypto at all, as the document suggests. For Diffie-Hellman 4096-bits, running one of the mathematical methods gives you on the order of 150 bits of security. See RFC 3526 section 8. For a 190-bits of security, you need a Diffie-Hellman of 8k-bits in size. Of course, using a larger Q-ordered subgroup such as we get with safe-primes helps to increase the computation time needed even beyond the standard sieve techniques. The speed of an ECC computation is indeed faster than FFC. However, you need to assume that you can trust that the standard curves have not been heavily pre-computed too. You may wish to visit https://safecurves.cr.yp.to/ for an interesting view on ECDH and ECDSA technology. I am given to understand that NIST is going to be considering EdDSA and things like Curve25519 and Curve448 in the coming year for release. The other thing happening is the consideration of using paired curves. Right now that is not a part of the SSHv2 protocol, but the field continues to get new research. -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev