Network Working Group                                           H. Orman
Request for Comments: 3766                            Purple Streak Dev.
BCP: 86                                                       P. Hoffman
Category: Best Current Practice                           VPN Consortium
                                                              April 2004
        
Network Working Group                                           H. Orman
Request for Comments: 3766                            Purple Streak Dev.
BCP: 86                                                       P. Hoffman
Category: Best Current Practice                           VPN Consortium
                                                              April 2004
        

Determining Strengths For Public Keys Used For Exchanging Symmetric Keys

确定用于交换对称密钥的公钥的强度

Status of this Memo

本备忘录的状况

This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.

本文件规定了互联网社区的最佳现行做法,并要求进行讨论和提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2004). All Rights Reserved.

版权所有(C)互联网协会(2004年)。版权所有。

Abstract

摘要

Implementors of systems that use public key cryptography to exchange symmetric keys need to make the public keys resistant to some predetermined level of attack. That level of attack resistance is the strength of the system, and the symmetric keys that are exchanged must be at least as strong as the system strength requirements. The three quantities, system strength, symmetric key strength, and public key strength, must be consistently matched for any network protocol usage.

使用公钥加密技术交换对称密钥的系统的实现者需要使公钥抵抗某种预定级别的攻击。这种抗攻击能力是系统的强度,交换的对称密钥必须至少与系统强度要求相同。系统强度、对称密钥强度和公钥强度这三个量对于任何网络协议的使用都必须一致匹配。

While it is fairly easy to express the system strength requirements in terms of a symmetric key length and to choose a cipher that has a key length equal to or exceeding that requirement, it is harder to choose a public key that has a cryptographic strength meeting a symmetric key strength requirement. This document explains how to determine the length of an asymmetric key as a function of a symmetric key strength requirement. Some rules of thumb for estimating equivalent resistance to large-scale attacks on various algorithms are given. The document also addresses how changing the sizes of the underlying large integers (moduli, group sizes, exponents, and so on) changes the time to use the algorithms for key exchange.

虽然用对称密钥长度表示系统强度要求并选择密钥长度等于或超过该要求的密码相当容易,但选择密码强度满足对称密钥强度要求的公钥则更难。本文档说明如何根据对称密钥强度要求确定非对称密钥的长度。给出了估计各种算法对大规模攻击的等效抵抗力的经验法则。本文档还讨论了更改基础大整数(模、组大小、指数等)的大小如何更改使用密钥交换算法的时间。

Table of Contents

目录

   1.  Model of Protecting Symmetric Keys with Public Keys. . . . . .  2
       1.1. The key exchange algorithms . . . . . . . . . . . . . . .  4
   2.  Determining the Effort to Factor . . . . . . . . . . . . . . .  5
       2.1. Choosing parameters for the equation. . . . . . . . . . .  6
       2.2. Choosing k from empirical reports . . . . . . . . . . . .  7
       2.3. Pollard's rho method. . . . . . . . . . . . . . . . . . .  7
       2.4. Limits of large memory and many machines. . . . . . . . .  8
       2.5. Special purpose machines. . . . . . . . . . . . . . . . .  9
   3.  Compute Time for the Algorithms. . . . . . . . . . . . . . . . 10
       3.1. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . 10
            3.1.1. Diffie-Hellman with elliptic curve groups. . . . . 11
       3.2. RSA encryption and decryption . . . . . . . . . . . . . . 11
       3.3. Real-world examples . . . . . . . . . . . . . . . . . . . 12
   4.  Equivalences of Key Sizes. . . . . . . . . . . . . . . . . . . 13
       4.1. Key equivalence against special purpose brute force
            hardware. . . . . . . . . . . . . . . . . . . . . . . . . 15
       4.2. Key equivalence against conventional CPU brute force
            attack. . . . . . . . . . . . . . . . . . . . . . . . . . 15
       4.3. A One Year Attack: 80 bits of strength. . . . . . . . . . 16
       4.4. Key equivalence for other ciphers . . . . . . . . . . . . 16
       4.5. Hash functions for deriving symmetric keys from public
            key algorithms. . . . . . . . . . . . . . . . . . . . . . 17
       4.6. Importance of randomness. . . . . . . . . . . . . . . . . 19
   5.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 19
       5.1. TWIRL Correction. . . . . . . . . . . . . . . . . . . . . 20
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . . 20
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
       7.1. Informational References. . . . . . . . . . . . . . . . . 20
   8.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22
   9.  Full Copyright Statement . . . . . . . . . . . . . . . . . . . 23
        
   1.  Model of Protecting Symmetric Keys with Public Keys. . . . . .  2
       1.1. The key exchange algorithms . . . . . . . . . . . . . . .  4
   2.  Determining the Effort to Factor . . . . . . . . . . . . . . .  5
       2.1. Choosing parameters for the equation. . . . . . . . . . .  6
       2.2. Choosing k from empirical reports . . . . . . . . . . . .  7
       2.3. Pollard's rho method. . . . . . . . . . . . . . . . . . .  7
       2.4. Limits of large memory and many machines. . . . . . . . .  8
       2.5. Special purpose machines. . . . . . . . . . . . . . . . .  9
   3.  Compute Time for the Algorithms. . . . . . . . . . . . . . . . 10
       3.1. Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . 10
            3.1.1. Diffie-Hellman with elliptic curve groups. . . . . 11
       3.2. RSA encryption and decryption . . . . . . . . . . . . . . 11
       3.3. Real-world examples . . . . . . . . . . . . . . . . . . . 12
   4.  Equivalences of Key Sizes. . . . . . . . . . . . . . . . . . . 13
       4.1. Key equivalence against special purpose brute force
            hardware. . . . . . . . . . . . . . . . . . . . . . . . . 15
       4.2. Key equivalence against conventional CPU brute force
            attack. . . . . . . . . . . . . . . . . . . . . . . . . . 15
       4.3. A One Year Attack: 80 bits of strength. . . . . . . . . . 16
       4.4. Key equivalence for other ciphers . . . . . . . . . . . . 16
       4.5. Hash functions for deriving symmetric keys from public
            key algorithms. . . . . . . . . . . . . . . . . . . . . . 17
       4.6. Importance of randomness. . . . . . . . . . . . . . . . . 19
   5.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 19
       5.1. TWIRL Correction. . . . . . . . . . . . . . . . . . . . . 20
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . . 20
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
       7.1. Informational References. . . . . . . . . . . . . . . . . 20
   8.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22
   9.  Full Copyright Statement . . . . . . . . . . . . . . . . . . . 23
        
1. Model of Protecting Symmetric Keys with Public Keys
1. 用公钥保护对称密钥的模型

Many books on cryptography and security explain the need to exchange symmetric keys in public as well as the many algorithms that are used for this purpose. However, few of these discussions explain how the strengths of the public keys and the symmetric keys are related.

许多关于密码学和安全性的书籍解释了公开交换对称密钥的必要性,以及为此目的使用的许多算法。然而,这些讨论很少解释公钥和对称密钥的优势是如何相互关联的。

To understand this, picture a house with a strong lock on the front door. Next to the front door is a small lockbox that contains the key to the front door. A would-be burglar who wants to break into the house through the front door has two options: attack the lock on the front door, or attack the lock on the lockbox in order to retrieve the key. Clearly, the burglar is better off attacking the weaker of the two locks. The homeowner in this situation must make

要理解这一点,请想象一座前门有一把坚固的锁的房子。前门旁边是一个小锁箱,里面装着前门的钥匙。想要从前门闯入房子的潜在窃贼有两种选择:攻击前门上的锁,或者攻击锁箱上的锁以取回钥匙。显然,窃贼最好攻击两把锁中较弱的一把。在这种情况下,房主必须

sure that adding the second entry option (the lockbox containing the front door key) is at least as strong as the lock on the front door, in order not to make the burglar's job easier.

确保添加第二个进入选项(包含前门钥匙的锁箱)至少与前门上的锁一样坚固,以免使窃贼的工作更容易。

An implementor designing a system for exchanging symmetric keys using public key cryptography must make a similar decision. Assume that an attacker wants to learn the contents of a message that is encrypted with a symmetric key, and that the symmetric key was exchanged between the sender and recipient using public key cryptography. The attacker has two options to recover the message: a brute-force attempt to determine the symmetric key by repeated guessing, or mathematical determination of the private key used as the key exchange key. A smart attacker will work on the easier of these two problems.

设计使用公钥密码交换对称密钥的系统的实现者必须做出类似的决定。假设攻击者希望了解使用对称密钥加密的消息的内容,并且对称密钥是在发送方和接收方之间使用公钥加密进行交换的。攻击者有两种恢复消息的方法:通过反复猜测来强行确定对称密钥,或通过数学方法确定用作密钥交换密钥的私钥。聪明的攻击者可以解决这两个问题中较简单的一个。

A simple-minded answer to the implementor's problem is to be sure that the key exchange system is always significantly stronger than the symmetric key; this can be done by choosing a very long public key. Such a design is usually not a good idea because the key exchanges become much more expensive in terms of processing time as the length of the public keys go up. Thus, the implementor is faced with the task of trying to match the difficulty of an attack on the symmetric key with the difficulty of an attack on the public key encryption. This analysis is not necessary if the key exchange can be performed with extreme security for almost no cost in terms of elapsed time or CPU effort; unfortunately, this is not the case for public key methods today.

对于实现者的问题,一个简单的答案是确保密钥交换系统总是明显强于对称密钥;这可以通过选择很长的公钥来实现。这样的设计通常不是一个好主意,因为随着公钥长度的增加,密钥交换在处理时间方面变得更加昂贵。因此,实现者面临着试图将对称密钥攻击的难度与公钥加密攻击的难度匹配的任务。如果密钥交换可以在极端安全的情况下执行,并且几乎不需要花费时间或CPU精力,则无需进行此分析;不幸的是,今天的公钥方法并非如此。

A third consideration is the minimum security requirement of the user. Assume the user is encrypting with CAST-128 and requires a symmetric key with a resistance time against brute-force attack of 20 years. He might start off by choosing a key with 86 random bits, and then use a one-way function such as SHA-1 to "boost" that to a block of 160 bits, and then take 128 of those bits as the key for CAST-128. In such a case, the key exchange algorithm need only match the difficulty of 86 bits, not 128 bits.

第三个考虑因素是用户的最低安全要求。假设用户使用CAST-128加密,并且需要一个抵抗暴力攻击时间为20年的对称密钥。他可能首先选择一个包含86个随机位的密钥,然后使用单向函数(如SHA-1)将其“提升”到160位的块,然后将其中的128位作为CAST-128的密钥。在这种情况下,密钥交换算法只需要匹配86位的难度,而不是128位。

The selection procedure is:

选择程序如下:

1. Determine the attack resistance necessary to satisfy the security requirements of the application. Do this by estimating the minimum number of computer operations that the attacker will be forced to do in order to compromise the security of the system and then take the logarithm base two of that number. Call that logarithm value "n".

1. 确定满足应用程序安全要求所需的抗攻击能力。要做到这一点,请估计攻击者为危害系统安全而被迫执行的最小计算机操作数,然后取该数字的对数底2。把那个对数叫做“n”。

A 1996 report recommended 90 bits as a good all-around choice for system security. The 90 bit number should be increased by about 2/3 bit/year, or about 96 bits in 2005.

1996年的一份报告建议将90位作为系统安全性的良好全面选择。90位数字应每年增加约2/3位,或在2005年增加约96位。

2. Choose a symmetric cipher that has a key with at least n bits and at least that much cryptanalytic strength.

2. 选择一个对称密码,它的密钥至少有n位,并且密码分析强度至少有这么大。

3. Choose a key exchange algorithm with a resistance to attack of at least n bits.

3. 选择一种抗攻击能力至少为n位的密钥交换算法。

A fourth consideration might be the public key authentication method used to establish the identity of a user. This might be an RSA digital signature or a DSA digital signature. If the modulus for the authentication method isn't large enough, then the entire basis for trusting the communication might fall apart. The following step is thus added:

第四个考虑因素可能是用于建立用户身份的公钥认证方法。这可能是RSA数字签名或DSA数字签名。如果身份验证方法的模数不够大,那么信任通信的整个基础可能会崩溃。因此,添加了以下步骤:

4. Choose an authentication algorithm with a resistance to attack of at least n bits. This ensures that a similar key exchanged cannot be forged between the two parties during the secrecy lifetime of the encrypted material. This may not be strictly necessary if the authentication keys are changed frequently and they have a well-understood usage lifetime, but in lieu of this, the n bit guidance is sound.

4. 选择抗攻击能力至少为n位的身份验证算法。这确保了在加密材料的保密期内,双方之间不能伪造交换的类似密钥。如果身份验证密钥经常更改,并且它们有一个很好理解的使用寿命,那么这可能不是严格必要的,但是作为替代,n位指导是合理的。

1.1. The key exchange algorithms
1.1. 密钥交换算法

The Diffie-Hellman method uses a group, a generator, and exponents. In today's Internet standards, the group operation is based on modular multiplication. Here, the group is defined by the multiplicative group of an integer, typically a prime p = 2q + 1, where q is a prime, and the arithmetic is done modulo p; the generator (which is often simply 2) is denoted by g.

Diffie-Hellman方法使用组、生成器和指数。在当今的互联网标准中,分组运算是基于模乘的。这里,该群由整数的乘法群定义,通常是素数p=2q+1,其中q是素数,并且算术是以p模完成的;生成器(通常为2)用g表示。

In Diffie-Hellman, Alice and Bob first agree (in public or in private) on the values for g and p. Alice chooses a secret large random integer (a), and Bob chooses a secret random large integer (b). Alice sends Bob A, which is g^a mod p; Bob sends Alice B, which is g^b mod p. Next, Alice computes B^a mod p, and Bob computes A^b mod p. These two numbers are equal, and the participants use a simple function of this number as the symmetric key k.

在Diffie Hellman中,Alice和Bob首先(公开或私下)就g和p的值达成一致。Alice选择一个秘密大随机整数(a),Bob选择一个秘密大随机整数(b)。Alice发送Bob A,即g^A mod p;Bob发送Alice B,即g^B mod p。接下来,Alice计算B^a mod p,Bob计算a^B mod p。这两个数字相等,参与者使用这个数字的一个简单函数作为对称密钥k。

Note that Diffie-Hellman key exchange can be done over different kinds of group representations. For instance, elliptic curves defined over finite fields are a particularly efficient way to compute the key exchange [SCH95].

请注意,Diffie-Hellman密钥交换可以在不同类型的组表示上完成。例如,在有限域上定义的椭圆曲线是计算密钥交换的一种特别有效的方法[SCH95]。

For RSA key exchange, assume that Bob has a public key (m) which is equal to p*q, where p and q are two secret prime numbers, and an encryption exponent e, and a decryption exponent d. For the key exchange, Alice sends Bob E = k^e mod m, where k is the secret symmetric key being exchanged. Bob recovers k by computing E^d mod m, and the two parties use k as their symmetric key. While Bob's encryption exponent e can be quite small (e.g., 17 bits), his decryption exponent d will have as many bits in it as m does.

对于RSA密钥交换,假设Bob有一个公钥(m),它等于p*q,其中p和q是两个秘密素数,加密指数e和解密指数d。对于密钥交换,Alice发送Bob E=k^E mod m,其中k是正在交换的秘密对称密钥。Bob通过计算E^d mod m来恢复k,双方使用k作为对称密钥。虽然Bob的加密指数e可能非常小(例如,17位),但他的解密指数d中的位数与m中的位数相同。

2. Determining the Effort to Factor
2. 确定努力因素

The RSA public key encryption method is immune to brute force guessing attacks because the modulus (and thus, the secret exponent d) will have at least 512 bits, and that is too many possibilities to guess. The Diffie-Hellman exchange is also secure against guessing because the exponents will have at least twice as many bits as the symmetric keys that will be derived from them. However, both methods are susceptible to mathematical attacks that determine the structure of the public keys.

RSA公钥加密方法不受暴力猜测攻击的影响,因为模(因此,秘密指数d)将至少有512位,而且猜测的可能性太多。Diffie-Hellman交换也可以防止猜测,因为指数将拥有至少两倍于对称密钥的比特数。然而,这两种方法都容易受到决定公钥结构的数学攻击。

Factoring an RSA modulus will result in complete compromise of the security of the private key. Solving the discrete logarithm problem for a Diffie-Hellman modular exponentiation system will similarly destroy the security of all key exchanges using the particular modulus. This document assumes that the difficulty of solving the discrete logarithm problem is equivalent to the difficulty of factoring numbers that are the same size as the modulus. In fact, it is slightly harder because it requires more operations; based on empirical evidence so far, the ratio of difficulty is at least 20, possibly as high as 64. Solving either problem requires a great deal of memory for the last stage of the algorithm, the matrix reduction step. Whether or not this memory requirement will continue to be the limiting factor in solving larger integer problems remains to be seen. At the current time it is not, and there is active research into parallel matrix algorithms that might mitigate the memory requirements for this problem.

分解RSA模将导致私钥的安全性完全受损。解决Diffie-Hellman模幂系统的离散对数问题同样会破坏使用特定模的所有密钥交换的安全性。本文件假设解决离散对数问题的难度等同于分解与模数大小相同的数字的难度。事实上,这稍微困难一些,因为它需要更多的操作;根据迄今为止的经验证据,难度比至少为20,可能高达64。解决这两个问题都需要大量内存,用于算法的最后一个阶段,即矩阵缩减步骤。这种内存需求是否会继续成为解决更大整数问题的限制因素还有待观察。目前情况并非如此,目前正在积极研究并行矩阵算法,以缓解该问题的内存需求。

The number field sieve (NFS) [GOR93] [LEN93] is the best method today for solving the discrete logarithm problem. The formula for estimating the number of simple arithmetic operations needed to factor an integer, n, using the NFS method is:

数字域筛选(NFS)[GOR93][LEN93]是目前解决离散对数问题的最佳方法。使用NFS方法估计将整数n因子化所需的简单算术运算数的公式为:

      L(n) = k * e^((1.92 + o(1)) * cubrt(ln(n) * (ln(ln(n)))^2))
        
      L(n) = k * e^((1.92 + o(1)) * cubrt(ln(n) * (ln(ln(n)))^2))
        

Many people prefer to discuss the number of MIPS years (MYs) that are needed for large operations such as the number field sieve. For such an estimation, an operation in the L(n) formula is one computer

许多人喜欢讨论大型操作(如数字字段筛选)所需的MIPS年数(MYs)。对于这种估计,L(n)公式中的运算是一台计算机

instruction. Empirical evidence indicates that 4 or 5 instructions might be a closer match, but this is a minor factor and this document sticks with one operation/one instruction for this discussion.

指示经验证据表明,4个或5个指令可能更接近匹配,但这是一个次要因素,本文档坚持使用一个操作/一个指令进行讨论。

2.1. Choosing parameters for the equation
2.1. 方程参数的选择

The expression above has two parameters that can be estimated by empirical means: k and o(1). For the range of numbers we are interested in, there is little distinction between them.

上面的表达式有两个参数可以通过经验方法估计:k和o(1)。就我们感兴趣的数字范围而言,它们之间几乎没有区别。

One could assume that k is 1 and o(1) is 0. This is reasonably valid if the expression is only used for estimating relative effort (instead of actual effort) and one assumes that the o(1) term is very small over the range of the numbers that are to be factored.

我们可以假设k是1,o(1)是0。如果表达式仅用于估算相对作用力(而非实际作用力),并且假设o(1)项在要分解的数字范围内非常小,则这是合理有效的。

Or, one could assume that o(1) is small and roughly constant and thus its value can be folded into k; then estimate k from reported amounts of effort spent factoring large integers in tests.

或者,我们可以假设o(1)很小且大致恒定,因此其值可以折成k;然后根据报告的在测试中分解大整数所花费的工作量来估计k。

This document uses the second approach in order to get an estimate of the significance of the factor. It appears to be minor, based on the following calculations.

本文件使用第二种方法,以获得对该因素重要性的估计。根据以下计算,这似乎是次要的。

Sample values from recent work with the number field sieve include:

最近使用数字字段筛选的样本值包括:

Test name Number of Number of MYs of effort decimal bits digits RSA130 130 430 500 RSA140 140 460 2000 RSA155 155 512 8000 RSA160 160 528 3000

测试名称努力的MYs数量十进制位数字RSA130 430 500 RSA140 140 460 2000 RSA155 512 8000 RSA160 528 3000

There are few precise measurements of the amount of time used for these factorizations. In most factorization tests, hundreds or thousands of computers are used over a period of several months, but the number of their cycles were used for the factoring project, the precise distribution of processor types, speeds, and so on are not usually reported. However, in all the above cases, the amount of effort used was far less than the L(n) formula would predict if k was 1 and o(1) was 0.

对于这些分解所用的时间量,几乎没有精确的测量。在大多数因子分解测试中,数百台或数千台计算机在几个月的时间内被使用,但它们的周期数用于因子分解项目,处理器类型、速度等的精确分布通常不会报告。然而,在上述所有情况下,如果k为1,o(1)为0,所用的工作量远远小于L(n)公式所预测的工作量。

A similar estimate of effort, done in 1995, is in [ODL95].

1995年完成的类似工作估算见[ODL95]。

Results indicating that for the Number Field Sieve factoring method, the actual number of operations is less than expected, are found in [DL].

结果表明,对于数字域筛选因子分解法,实际操作数低于预期,见[DL]。

2.2. Choosing k from empirical reports
2.2. 从实证报告中选择k

By solving for k from the empirical reports, it appears that k is approximately 0.02. This means that the "effective key strength" of the RSA algorithm is about 5 or 6 bits less than is implied by the naive application of equation L(n) (that is, setting k to 1 and o(1) to 0). These estimates of k are fairly stable over the numbers reported in the table. The estimate is limited to a single significant digit of k because it expresses real uncertainties; however, the effect of additional digits would have make only tiny changes to the recommended key sizes.

通过从经验报告中求解k,k似乎约为0.02。这意味着RSA算法的“有效密钥强度”比方程L(n)的简单应用(即,将k设置为1,o(1)设置为0)所暗示的大约少5或6位。与表中报告的数字相比,k的这些估计值相当稳定。由于表示实际的不确定性,估计值仅限于k的一个有效数字;然而,额外数字的效果只会对建议的密钥大小进行微小的更改。

The factorers of RSA130 used about 1700 MYs, but they felt that this was unrealistically high for prediction purposes; by using more memory on their machines, they could have easily reduced the time to 500 MYs. Thus, the value used in preparing the table above was 500. This story does, however, underscore the difficulty in getting an accurate measure of effort. This document takes the reported effort for factoring RSA155 as being the most accurate measure.

RSA130的因子分析者使用了大约1700 MYs,但他们认为这对于预测来说是不切实际的高;通过在机器上使用更多内存,他们可以轻松地将时间减少到500 MYs。因此,编制上表时使用的数值为500。然而,这个故事确实强调了准确衡量努力的困难。本文件将报告的RSA155分解工作视为最准确的衡量标准。

As a result of examining the empirical data, it appears that the L(n) formula can be used with the o(1) term set to 0 and with k set to 0.02 when talking about factoring numbers in the range of 100 to 200 decimal digits. The equation becomes:

检验经验数据的结果表明,在讨论100到200位十进制数字的因式分解时,L(n)公式可以使用o(1)项设置为0,k设置为0.02。方程式变成:

      L(n) =  0.02 * e^(1.92 * cubrt(ln(n) * (ln(ln(n)))^2))
        
      L(n) =  0.02 * e^(1.92 * cubrt(ln(n) * (ln(ln(n)))^2))
        

To convert L(n) from simple math instructions to MYs, divide by 3*10^13. The equation for the number of MYs needed to factor an integer n then reduces to:

要将L(n)从简单数学指令转换为MYs,请除以3*10^13。将整数n作为因子所需的MYs数的等式则减少为:

      MYs = 6 * 10^(-16) * e^(1.92 * cubrt(ln(n) * (ln(ln(n)))^2))
        
      MYs = 6 * 10^(-16) * e^(1.92 * cubrt(ln(n) * (ln(ln(n)))^2))
        

With what confidence can this formula be used for predicting the difficulty of factoring slightly larger numbers? The answer is that it should be a close upper bound, but each factorization effort is usually marked by some improvement in the algorithms or their implementations that makes the running time somewhat shorter than the formula would indicate.

这个公式在预测分解稍大数字的难度时有多大的可信度?答案是,它应该是一个接近的上限,但每个分解工作通常都以算法或其实现的某些改进为标志,这使得运行时间比公式所指示的要短一些。

2.3. Pollard's rho method
2.3. 波拉德rho法

In Diffie-Hellman exchanges, there is a second attack, Pollard's rho method [POL78]. The algorithm relies on finding collisions between values computed in a large number space; its success rate is proportional to the square root of the size of the space. Because of Pollard's rho method, the search space in a DH key exchange for the key (the exponent in a g^a term), must be twice as large as the

在Diffie-Hellman交换中,存在第二种攻击,即Pollard的rho方法[POL78]。该算法依赖于查找在大量空间中计算的值之间的冲突;它的成功率与空间大小的平方根成正比。由于Pollard的rho方法,DH密钥交换中密钥的搜索空间(g^a项中的指数)必须是

symmetric key. Therefore, to securely derive a key of K bits, an implementation must use an exponent with at least 2*K bits. See [ODL99] for more detail.

对称密钥。因此,为了安全地派生K位密钥,实现必须使用至少具有2*K位的指数。有关更多详细信息,请参见[ODL99]。

When the Diffie-Hellman key exchange is done using an elliptic curve method, the NFS methods are of no avail. However, the collision method is still effective, and the need for an exponent (called a multiplier in EC's) with 2*K bits remains. The modulus used for the computation can also be 2*K bits, and this will be substantially smaller than the modulus needed for modular exponentiation methods as the desired security level increases past 64 bits of brute-force attack resistance.

当Diffie-Hellman密钥交换使用椭圆曲线方法完成时,NFS方法无效。然而,碰撞方法仍然有效,并且仍然需要2*K位的指数(在EC中称为乘法器)。用于计算的模数也可以是2*K位,这将大大小于模数求幂方法所需的模数,因为所需的安全级别增加到超过64位的暴力攻击抗性。

One might ask, how can you compare the number of computer instructions really needed for a discrete logarithm attack to the number needed to search the keyspace of a cipher? In comparing the efforts, one should consider what a "basic operation" is. For brute force search of the keyspace of a symmetric encryption algorithm like DES, the basic operation is the time to do a key setup and the time to do one encryption. For discrete logs, the basic operation is a modular squaring. The log of the ratio of these two operations can be used as a "normalizing factor" between the two kinds of computations. However, even for very large moduli (16K bits), this factor amounts to only a few bits of extra effort.

有人可能会问,如何将离散对数攻击所需的计算机指令数与搜索密码密钥空间所需的指令数进行比较?在比较努力时,应该考虑什么是“基本操作”。对于对称加密算法(如DES)的密钥空间的暴力搜索,基本操作是执行密钥设置和执行一次加密的时间。对于离散原木,基本操作是模块化平方。这两种运算比率的对数可用作两种计算之间的“归一化因子”。然而,即使对于非常大的模(16K位),这个系数也只相当于额外的几位工作量。

2.4. Limits of large memory and many machines
2.4. 大内存和许多机器的限制

Robert Silverman has examined the question of when it will be practical to factor RSA moduli larger than 512 bits. His analysis is based not only on the theoretical number of operations, but it also includes expectations about the availability of actual machines for performing the work (this document is based only on theoretical number of operations). He examines the question of whether or not we can expect there be enough machines, memory, and communication to factor a very large number.

罗伯特·西尔弗曼(Robert Silverman)研究了RSA模大于512位的因子何时可行的问题。他的分析不仅基于理论操作数,还包括对实际机器执行工作可用性的预期(本文件仅基于理论操作数)。他研究了我们是否能够期望有足够的机器、内存和通信来考虑一个非常大的数字的问题。

The best factoring methods need a lot of random access memory for collecting data relations (sieving) and a critical final step that does a row reduction on a large matrix. The memory requirements are related to the size of the number being factored (or subjected to discrete logarithm solution). Silverman [SILIEEE99] [SIL00] has argued that there is a practical limit to the number of machines and the amount of RAM that can be brought to bear on a single problem in the foreseeable future. He sees two problems in attacking a 1024-bit RSA modulus: the machines doing the sieving will need 64-bit address spaces and the matrix row reduction machine will need several terabytes of memory. Silverman notes that very few 64-bit machines

最好的因式分解方法需要大量的随机访问内存来收集数据关系(筛选),以及在大型矩阵上进行行缩减的关键最后一步。内存需求与被分解的数字(或离散对数解)的大小有关。Silverman[SILIEEE99][SIL00]认为,在可预见的未来,一个问题所能带来的机器数量和RAM数量是有实际限制的。他认为攻击1024位RSA模存在两个问题:进行筛选的机器将需要64位地址空间,矩阵行缩减机器将需要数TB的内存。Silverman指出,很少有64位计算机

that have the 170 gigabytes of memory needed for sieving have been sold. Nearly a billion such machines are necessary for the sieving in a reasonable amount of time (a year or two).

具有筛选所需的170G内存的处理器已经售出。在合理的时间内(一年或两年),近十亿台这样的机器是筛分所必需的。

Silverman's conclusion, based on the history of factoring efforts and Moore's Law, is that 1024-bit RSA moduli will not be factored until about 2037. This implies a much longer lifetime to RSA keys than the theoretical analysis indicates. He argues that predictions about how many machines and memory modules will be available can be with great confidence, based on Moore's Law extrapolations and the recent history of factoring efforts.

Silverman的结论是,基于分解工作的历史和摩尔定律,1024位RSA模直到2037年左右才会分解。这意味着RSA密钥的使用寿命比理论分析表明的要长得多。他认为,根据摩尔定律外推和最近的因子分解历史,可以非常有信心地预测将有多少台机器和内存模块可用。

One should give the practical considerations a great deal of weight, but in a risk analysis, the physical world is less predictable than trend graphs would indicate. In considering how much trust to put into the inability of the computer industry to satisfy the voracious needs of factorers, one must have some insight into economic considerations that are more complicated than the mathematics of factoring. The demand for computer memory is hard to predict because it is based on applications: a "killer app" might come along any day and send the memory industry into a frenzy of sales. The number of processors available on desktops may be limited by the number of desks, but very capable embedded systems account for more processor sales than desktops. As embedded systems absorb networking functions, it is not unimaginable that millions of 64-bit processors with at least gigabytes of memory will pervade our environment.

人们应该对实际考虑给予很大的重视,但在风险分析中,物理世界的可预测性不如趋势图所示。在考虑计算机行业无法满足保理商贪婪的需求时,我们必须对比保理数学更复杂的经济因素有所了解。计算机内存的需求很难预测,因为它是基于应用程序的:一个“杀手级应用程序”随时可能出现,并使内存行业陷入销售狂潮。台式机上可用的处理器数量可能受到台式机数量的限制,但功能强大的嵌入式系统比台式机的处理器销售额更高。随着嵌入式系统吸收网络功能,数百万个64位处理器(至少有千兆字节内存)将遍布我们的环境并非不可想象。

The bottom line on this is that the key length recommendations predicted by theory may be overly conservative, but they are what we have used for this document. This question of machine availability is one that should be reconsidered in light of current technology on a regular basis.

这方面的底线是,理论预测的关键长度建议可能过于保守,但它们是我们在本文件中使用的。机器可用性问题应根据当前技术定期重新考虑。

2.5. Special purpose machines
2.5. 专用机器

In August of 2003, a design for a special-purpose "sieving machine" (TWIRL) surfaced [Shamir2003], and it substantially changed the cost estimates for factoring numbers up to 1024 bits in size. By applying many high-speed VLSI components in parallel, such a machine might be able to carry out the sieving of 512-bit numbers in 10 minutes at a cost of $10K for the hardware. A larger version could sieve a 1024- bit number in one year for a cost of $10M. The work cites some advances in approaches to the row reduction step in concluding that the security of 1024-bit RSA moduli is doubtful.

2003年8月,一种特殊用途的“筛分机”(TWIRL)设计浮出水面[Shamir2003],它极大地改变了将数字分解为1024位大小的成本估算。通过并行应用许多高速VLSI组件,这种机器可能能够在10分钟内完成512位数字的筛选,硬件成本为1万美元。一个更大的版本可以在一年内筛选出一个1024位的数字,花费1000万美元。这项工作引用了行缩减步骤方法的一些进展,得出1024位RSA模的安全性值得怀疑的结论。

The estimates for the time and cost for factoring 512-bit and 1024- bit numbers correspond to a speed-up factor of about 2 million over what can be achieved with commodity processors of a few years ago.

对512位和1024位数字的分解时间和成本的估计相当于几年前商品处理器所能达到的大约200万的加速系数。

3. Compute Time for the Algorithms
3. 计算算法的时间

This section describes how long it takes to use the algorithms to perform key exchanges. Again, it is important to consider the increased time it takes to exchange symmetric keys when increasing the length of public keys. It is important to avoid choosing unfeasibly long public keys.

本节描述使用算法执行密钥交换所需的时间。同样,重要的是要考虑在增加公钥长度时交换对称密钥所需的时间。避免选择不可行的长公钥很重要。

3.1. Diffie-Hellman Key Exchange
3.1. Diffie-Hellman密钥交换

A Diffie-Hellman key exchange is done with a finite cyclic group G with a generator g and an exponent x. As noted in the Pollard's rho method section, the exponent has twice as many bits as are needed for the final key. Let the size of the group G be p, let the number of bits in the base 2 representation of p be j, and let the number of bits in the exponent be K.

Diffie-Hellman密钥交换是通过有限循环群G与生成器G和指数x进行的。正如Pollard的rho方法部分所述,指数的位数是最终密钥所需位数的两倍。设G组的大小为p,p的基2表示中的位数为j,指数中的位数为K。

In doing the operations that result in a shared key, a generator is raised to a power. The most efficient way to do this involves squaring a number K times and multiplying it several times along the way. Each of the numbers has j/w computer words in it, where w is the number of bits in a computer word (today that will be 32 or 64 bits). A naive assumption is that you will need to do j squarings and j/2 multiplies; fortunately, an efficient implementation will need fewer (NB: for the remainder of this section, n represents j/w).

在执行导致共享密钥的操作时,生成器将被提升到电源。实现这一点的最有效方法是将数字K平方,然后沿着此方法将其乘以几次。每个数字中都有j/w计算机字,其中w是计算机字中的位数(现在是32或64位)。一个天真的假设是你需要做j平方和j/2乘法;幸运的是,一个有效的实现需要更少的时间(注意:对于本节的其余部分,n代表j/w)。

A squaring operation does not need to use quite as many operations as a multiplication; a reasonable estimate is that squaring takes .6 the number of machine instructions of a multiply. If one prepares a table ahead of time with several values of small integer powers of the generator g, then only about one fifth as many multiplies are needed as the naive formula suggests. Therefore, one needs to do the work of approximately .8*K multiplies of n-by-n word numbers. Further, each multiply and squaring must be followed by a modular reduction, and a good assumption is that it is as hard to do a modular reduction as it is to do an n-by-n word multiply. Thus, it takes K reductions for the squarings and .2*K reductions for the multiplies. Summing this, the total effort for a Diffie-Hellman key exchange with K bit exponents and a modulus of n words is approximately 2*K n-by-n-word multiplies.

平方运算不需要使用与乘法运算一样多的运算;一个合理的估计是平方运算需要.6乘法运算的机器指令数。如果一个人提前准备了一张表,其中包含生成器g的几个小整数次幂的值,那么只需要原始公式所建议的大约五分之一的倍数。因此,需要对n×n字数进行大约.8*K的乘法运算。此外,每次乘法和平方运算之后都必须进行模化简并,一个好的假设是,进行模化简并和进行n×n字乘法一样困难。因此,平方需要K个约化,乘法需要.2*K个约化。综上所述,使用K位指数和n个字的模进行Diffie-Hellman密钥交换的总工作量约为2*K n×n字的倍数。

For 32-bit processors, integers that use less than about 30 computer words in their representation require at least n^2 instructions for an n-by-n-word multiply. Larger numbers will use less time, using Karatsuba multiplications, and they will scale as about n^(1.58) for larger n, but that is ignored for the current discussion. Note that 64-bit processors push the "Karatsuba cross-over" number out to even more bits.

对于32位处理器,在其表示中使用少于30个计算机字的整数需要至少n^2个指令进行n×n字乘法。使用Karatsuba乘法,较大的数字将使用较少的时间,并且对于较大的n,它们将扩展为约n^(1.58),但在当前讨论中忽略了这一点。请注意,64位处理器将“Karatsuba交叉”数推到更多位。

The basic result is: if you double the size of the Diffie-Hellman modular exponentiation group, you quadruple the number of operations needed for the computation.

基本结果是:如果将Diffie-Hellman模幂运算组的大小增加一倍,则计算所需的运算数量将增加四倍。

3.1.1. Diffie-Hellman with elliptic curve groups
3.1.1. 椭圆曲线群的Diffie-Hellman

Note that the ratios for computation effort as a function of modulus size hold even if you are using an elliptic curve (EC) group for Diffie-Hellman. However, for equivalent security, one can use smaller numbers in the case of elliptic curves. Assume that someone has chosen an modular exponentiation group with an 2048 bit modulus as being an appropriate security measure for a Diffie-Hellman application and wants to determine what advantage there would be to using an EC group instead. The calculation is relatively straightforward, if you assume that on the average, it is about 20 times more effort to do a squaring or multiplication in an EC group than in a modular exponentiation group. A rough estimate is that an EC group with equivalent security has about 200 bits in its representation. Then, assuming that the time is dominated by n-by-n-word operations, the relative time is computed as:

请注意,即使使用Diffie-Hellman的椭圆曲线(EC)组,计算工作量与模数大小的函数之比仍然有效。然而,为了同等的安全性,可以在椭圆曲线的情况下使用较小的数字。假设有人选择具有2048位模的模幂组作为Diffie-Hellman应用程序的适当安全措施,并希望确定使用EC组的优势。计算相对简单,如果您假设平均而言,在EC组中进行平方运算或乘法的工作量大约是模幂运算组的20倍。粗略估计,具有同等安全性的EC组在其表示中约有200位。然后,假设时间由n×n字操作控制,相对时间计算为:

      ((2048/200)^2)/20 ~= 5
        
      ((2048/200)^2)/20 ~= 5
        

showing that an elliptic curve implementation should be five times as fast as a modular exponentiation implementation.

显示椭圆曲线实现的速度应该是模幂实现的五倍。

3.2. RSA encryption and decryption
3.2. RSA加密和解密

Assume that an RSA public key uses a modulus with j bits; its factors are two numbers of about j/2 bits each. The expected computation time for encryption and decryption are different. As before, we denote the number of words in the machine representation of the modulus by the symbol n.

假设RSA公钥使用具有j位的模;它的系数是两个数,每个数约为j/2位。加密和解密的预期计算时间不同。如前所述,我们用符号n表示模的机器表示中的字数。

Most implementations of RSA use a small exponent for encryption. An encryption may involve as few as 16 squarings and one multiplication, using n-by-n-word operations. Each operation must be followed by a modular reduction, and therefore the time complexity is about 16*(.6 + 1) + 1 + 1 ~= 28 n-by-n-word multiplies.

大多数RSA实现都使用小指数进行加密。一次加密可能只涉及16次平方运算和一次乘法,使用n×n字运算。每个操作之后都必须进行模块化缩减,因此时间复杂度约为16*(.6+1)+1+1~=28个n×n字的倍数。

RSA decryption must use an exponent that has as many bits as the modulus, j. However, the Chinese Remainder Theorem applies, and all the computations can be done with a modulus of only n/2 words and an exponent of only j/2 bits. The computation must be done twice, once for each factor. The effort is equivalent to 2*(j/2) (n/2 by n/2)- word multiplies. Because multiplying numbers with n/2 words is only 1/4 as difficult as multiplying numbers with n words, the equivalent effort for RSA decryption is j/4 n-by-n-word multiplies.

RSA解密必须使用一个指数,该指数的位数等于模j。然而,中国的余数定理适用,所有的计算都可以用n/2字的模和j/2位的指数来完成。计算必须进行两次,每个因素一次。这一努力相当于2*(j/2)(n/2乘以n/2)-字的倍数。因为将数字与n/2个字相乘的难度仅为将数字与n个字相乘的1/4,因此RSA解密的等效工作量是j/4 n乘以n个字。

If you double the size of the modulus for RSA, the n-by-n multiplies will take four times as long. Further, the decryption time doubles because the exponent is larger. The overall scaling cost is a factor of 4 for encryption, a factor of 8 for decryption.

如果将RSA的模的大小增加一倍,n乘n的乘法将花费四倍的时间。此外,解密时间加倍,因为指数更大。总体扩展成本是加密的4倍,解密的8倍。

3.3. Real-world examples
3.3. 现实世界的例子

To make these numbers more real, here are a few examples of software implementations run on hardware that was current as of a few years before the publication of this document. The examples are included to show rough estimates of reasonable implementations; they are not benchmarks. As with all software, the performance will depend on the exact details of specialization of the code to the problem and the specific hardware.

为了使这些数字更加真实,以下是一些在本文档发布前几年在硬件上运行的软件实现示例。包括示例以显示对合理实现的粗略估计;它们不是基准。与所有软件一样,性能将取决于针对问题和特定硬件的代码专门化的确切细节。

The best time informally reported for a 1024-bit modular exponentiation (the decryption side of 2048-bit RSA), is 0.9 ms (about 450,000 CPU cycles) on a 500 MHz Itanium processor. This shows that newer processors are not losing ground on big number operations; the number of instructions is less than a 32-bit processor uses for a 256-bit modular exponentiation.

非正式报告的1024位模幂运算(2048位RSA的解密端)的最佳时间是500 MHz安腾处理器上的0.9毫秒(约450000个CPU周期)。这表明,较新的处理器并没有在大数运算上失利;指令数少于32位处理器用于256位模幂运算的指令数。

For less advanced processors timing, the following two tables (computed by Tero Monenen at SSH Communications) for modular exponentiation, such as would be done in a Diffie-Hellman key exchange.

对于不太高级的处理器计时,以下两个表(由Tero Monenen在SSH Communications上计算)用于模块求幂,例如在Diffie-Hellman密钥交换中完成。

Celeron 400 MHz; compiled with GNU C compiler, optimized, some platform specific coding optimizations:

赛扬400兆赫;使用GNU C编译器编译,优化,一些特定于平台的编码优化:

group modulus exponent time type size size mod 768 ~150 18 msec mod 1024 ~160 32 msec mod 1536 ~180 82 msec ecn 155 ~150 35 msec ecn 185 ~200 56 msec

组模指数时间类型大小mod 768~150 18毫秒mod 1024~160 32毫秒mod 1536~180 82毫秒ecn 155~150 35毫秒ecn 185~200 56毫秒

The group type is from [RFC2409] and is either modular exponentiation ("mod") or elliptic curve ("ecn"). All sizes here and in subsequent tables are in bits.

组类型来自[RFC2409],是模幂运算(“mod”)或椭圆曲线(“ecn”)。此处和后续表格中的所有大小均以位为单位。

Alpha 500 MHz compiled with Digital's C compiler, optimized, no platform specific code:

Alpha 500 MHz使用Digital的C编译器编译,经过优化,无平台特定代码:

group modulus exponent time type size size mod 768 ~150 12 msec mod 1024 ~160 24 msec mod 1536 ~180 59 msec ecn 155 ~150 20 msec ecn 185 ~200 27 msec

组模指数时间类型大小mod 768~150 12毫秒mod 1024~160 24毫秒mod 1536~180 59毫秒ecn 155~150 20毫秒ecn 185~200 27毫秒

The following two tables (computed by Eric Young) were originally for RSA signing operations, using the Chinese Remainder representation. For ease of understanding, the parameters are presented here to show the interior calculations, i.e., the size of the modulus and exponent used by the software.

以下两个表(由Eric Young计算)最初用于RSA签名操作,使用中文余数表示。为便于理解,此处提供的参数用于显示内部计算,即软件使用的模量和指数的大小。

Dual Pentium II-350:

双奔腾II-350:

equiv equiv equiv modulus exponent time size size 256 256 1.5 ms 512 512 8.6 ms 1024 1024 55.4 ms 2048 2048 387 ms

等效等效模指数时间大小256 256 1.5 ms 512 8.6 ms 1024 55.4 ms 2048 2048 387 ms

Alpha 264 600mhz:

阿尔法264 600mhz:

equiv equiv equiv modulus exponent time size size 512 512 1.4 ms

等效等效模指数时间大小512 512 1.4 ms

Recent chips that accelerate exponentiation can perform 1024-bit exponentiations (1024 bit modulus, 1024 bit exponent) in about 3 milliseconds or less.

最新的加速指数运算的芯片可以在大约3毫秒或更短的时间内执行1024位指数运算(1024位模数,1024位指数)。

4. Equivalences of Key Sizes
4. 键大小的等价性

In order to determine how strong a public key is needed to protect a particular symmetric key, you first need to determine how much effort is needed to break the symmetric key. Many Internet security protocols require the use of TripleDES for strong symmetric encryption, and it is expected that the Advanced Encryption Standard (AES) will be adopted on the Internet in the coming years. Therefore, these two algorithms are discussed here. In this section, for illustrative purposes, we will implicitly assume that the system

为了确定保护特定对称密钥所需的公钥的强度,首先需要确定破解对称密钥所需的工作量。许多互联网安全协议要求使用三重加密来实现强对称加密,预计未来几年互联网将采用高级加密标准(AES)。因此,本文对这两种算法进行了讨论。在本节中,为了便于说明,我们将隐含地假设系统

security requirement is 112 bits; this doesn't mean that 112 bits is recommended. In fact, 112 bits is arguably too strong for any practical purpose. It is used for illustration simply because that is the upper bound on the strength of TripleDES.

安全要求为112位;这并不意味着建议使用112位。事实上,112位对于任何实际用途来说都可能太强。它仅用于说明,因为这是三元组强度的上限。

If one could simply determine the number of MYs it takes to break TripleDES, the task of computing the public key size of equivalent strength would be easy. Unfortunately, that isn't the case here because there are many examples of DES-specific hardware that encrypt faster than DES in software on a standard CPU. Instead, one must determine the equivalent cost for a system to break TripleDES and a system to break the public key protecting a TripleDES key.

如果可以简单地确定打破三元组所需的MYs数量,那么计算同等强度的公钥大小的任务就很容易了。不幸的是,这里的情况并非如此,因为有许多特定于DES的硬件的示例,它们的加密速度比标准CPU上软件中的DES快。相反,必须确定系统破解三重密钥和系统破解保护三重密钥的公钥的等效成本。

In 1998, the Electronic Frontier Foundation (EFF) built a DES-cracking machine [GIL98] for US$130,000 that could test about 1e11 DES keys per second (additional money was spent on the machine's design). The machine's builders fully admit that the machine is not well optimized, and it is estimated that ten times the amount of money could probably create a machine about 50 times as fast. Assuming more optimization by guessing that a system to test TripleDES keys runs about as fast as a system to test DES keys, so approximately US$1 million might test 5e12 TripleDES keys per second.

在1998,电子前沿基金会(EFF)建造了一台DES破解机(GI998),售价130000美元,可以每秒测试1E11DES密钥(额外的钱花在了机器的设计上)。这台机器的制造商完全承认,这台机器没有得到很好的优化,据估计,10倍的资金可能会创造出50倍的速度。假设通过猜测测试三重密钥的系统的运行速度与测试DES密钥的系统的运行速度一样快来进行更多优化,因此大约100万美元可能每秒测试5e12个三重密钥。

In case your adversaries are much richer than EFF, you may want to assume that they have US$1 trillion, enough to test 5e18 keys per second. An exhaustive search of the effective TripleDES space of 2^112 keys with this quite expensive system would take about 1e15 seconds or about 33 million years. (Note that such a system would also need 2^60 bytes of RAM [MH81], which is considered free in this calculation). This seems a needlessly conservative value. However, if computer logic speeds continue to increase in accordance with Moore's Law (doubling in speed every 1.5 years), then one might expect that in about 50 years, the computation could be completed in only one year. For the purposes of illustration, this 50 year resistance against a trillionaire is assumed to be the minimum security requirement for a set of applications.

如果你的对手比EFF富裕得多,你可以假设他们有1万亿美元,足够每秒测试5e18个键。用这个相当昂贵的系统彻底搜索2^112个键的有效三倍空间大约需要15秒或3300万年。(请注意,这样的系统还需要2^60字节的RAM[MH81],这在本次计算中被认为是免费的)。这似乎是一个不必要的保守值。然而,如果计算机逻辑速度继续按照摩尔定律增长(每1.5年速度翻一番),那么人们可能会预计在大约50年内,计算只需一年即可完成。为了便于说明,假定对trillionaire的50年抵抗是一组应用的最低安全要求。

If 112 bits of attack resistance is the system security requirement, then the key exchange system for TripleDES should have equivalent difficulty; that is to say, if the attacker has US$1 trillion, you want him to spend all his money to buy hardware today and to know that he will "crack" the key exchange in not less than 33 million years. (Obviously, a rational attacker would wait for about 45 years before actually spending the money, because he could then get much better hardware, but all attackers benefit from this sort of wait equally.)

如果112位的抗攻击能力是系统安全要求,那么三重密钥交换系统应该具有同等的难度;这就是说,如果攻击者有1万亿美元,你希望他今天把所有的钱都花在购买硬件上,并且知道他将在不少于3300万年内“破解”密钥交换。(显然,一个理性的攻击者在实际花钱之前会等待大约45年,因为他可以得到更好的硬件,但所有攻击者都会从这种等待中平等受益。)

It is estimated that a typical PC CPU of just a few years ago can generate over 500 MIPs and could be purchased for about US$100 in quantity; thus you get more than 5 MIPs/US$. Again, this number doubles about every 18 months. For one trillion US dollars, an attacker can get 5e12 MIP years of computer instructions on that recent-vintage hardware. This figure is used in the following estimates of equivalent costs for breaking key exchange systems.

据估计,几年前一台典型的PC CPU可以产生500多个MIPs,并且可以以大约100美元的价格购买;因此,您可以获得超过5 MIPs/US$。同样,这个数字大约每18个月翻一番。只要花费1万亿美元,攻击者就可以在最近的老式硬件上获得5e12 MIP年的计算机指令。该数字用于以下断开密钥交换系统的等效成本估算。

4.1. Key equivalence against special purpose brute force hardware
4.1. 针对特殊用途暴力硬件的密钥等价性

If the trillionaire attacker is to use conventional CPU's to "crack" a key exchange for a 112 bit key in the same time that the special purpose machine is spending on brute force search for the symmetric key, the key exchange system must use an appropriately large modulus. Assume that the trillionaire performs 5e12 MIPs of instructions per year. Use the following equation to estimate the modulus size to use with RSA encryption or DH key exchange:

如果trillionaire攻击者在专用机器花费蛮力搜索对称密钥的同时,使用传统CPU“破解”112位密钥的密钥交换,则密钥交换系统必须使用适当大的模数。假设trillionaire每年执行5e12 MIPs指令。使用以下等式估计RSA加密或DH密钥交换使用的模大小:

      5*10^33 = (6*10^-16)*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))
        
      5*10^33 = (6*10^-16)*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))
        

Solving this approximately for n yields:

对于n,近似求解该问题得到:

      n = 10^(625) = 2^(2077)
        
      n = 10^(625) = 2^(2077)
        

Thus, assuming similar logic speeds and the current efficiency of the number field sieve, moduli with about 2100 bits will have about the same resistance against attack as an 112-bit TripleDES key. This indicates that RSA public key encryption should use a modulus with around 2100 bits; for a Diffie-Hellman key exchange, one could use a slightly smaller modulus, but it is not a significant difference.

因此,假设类似的逻辑速度和数字字段筛选的当前效率,具有约2100位的模将具有与112位三元组密钥相同的抗攻击能力。这表明RSA公钥加密应使用约2100位的模;对于Diffie-Hellman密钥交换,可以使用稍小的模数,但这并不是一个显著的差异。

4.2 Key equivalence against conventional CPU brute force attack
4.2 针对传统CPU暴力攻击的密钥等价性

An alternative way of estimating this assumes that the attacker has a less challenging requirement: he must only "crack" the key exchange in less time than a brute force key search against the symmetric key would take with general purpose computers. This is an "apples-to-apples" comparison, because it assumes that the attacker needs only to have computation donated to his effort, not built from a personal or national fortune. The public key modulus will be larger than the one in 4.1, because the symmetric key is going to be viable for a longer period of time.

另一种评估方法是假设攻击者的要求不那么具有挑战性:他只需在比普通计算机对对称密钥进行暴力密钥搜索更短的时间内“破解”密钥交换。这是一个“苹果对苹果”的比较,因为它假设攻击者只需要将计算捐赠给他的努力,而不是从个人或国家财富中构建。公钥模数将大于4.1中的模数,因为对称密钥在更长的时间内是可行的。

Assume that the number of CPU instructions to encrypt a block of material using TripleDES is 300. The estimated number of computer instructions to break 112 bit TripleDES key:

假设使用TripleDES加密材料块的CPU指令数为300。断开112位三元组密钥的计算机指令的估计数量:

      300 * 2^112
      = 1.6 * 10^(36)
      = .02*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))
        
      300 * 2^112
      = 1.6 * 10^(36)
      = .02*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))
        

Solving this approximately for n yields:

对于n,近似求解该问题得到:

      n = 10^(734) = 2^(2439)
        
      n = 10^(734) = 2^(2439)
        

Thus, for general purpose CPU attacks, you can assume that moduli with about 2400 bits will have about the same strength against attack as an 112-bit TripleDES key. This indicates that RSA public key encryption should use a modulus with around 2400 bits; for a Diffie-Hellman key exchange, one could use a slightly smaller modulus, but it not a significant difference.

因此,对于一般用途的CPU攻击,您可以假设大约2400位的模将具有与112位TripleDES密钥相同的抗攻击强度。这表明RSA公钥加密应使用约2400位的模;对于Diffie-Hellman密钥交换,可以使用稍小的模数,但这并没有显著差异。

Note that some authors assume that the algorithms underlying the number field sieve will continue to get better over time. These authors recommend an even larger modulus, over 4000 bits, for protecting a 112-bit symmetric key for 50 years. This points out the difficulty of long-term cryptographic security: it is all but impossible to predict progress in mathematics and physics over such a long period of time.

请注意,一些作者认为数字字段筛下的算法将随着时间的推移继续变得更好。这些作者建议使用更大的模数,超过4000位,以保护112位对称密钥50年。这就指出了长期密码安全的困难:在如此长的一段时间内预测数学和物理的进展几乎是不可能的。

4.3. A One Year Attack: 80 bits of strength
4.3. 一年的进攻:80点力量

Assuming a trillionaire spends his money today to buy hardware, what size key exchange numbers could he "crack" in one year? He can perform 5*e12 MYs of instructions, or

假设一个万亿富翁今天把钱花在购买硬件上,他能在一年内“破解”多大的关键交换号码?他可以执行5*e12 MYs的指令,或者

      3*10^13 * 5*10^12 = .02*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))
        
      3*10^13 * 5*10^12 = .02*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))
        

Solving for an approximation of n yields

n产量近似值的求解

      n = 10^(360) = 2^(1195)
        
      n = 10^(360) = 2^(1195)
        

This is about as many operations as it would take to crack an 80-bit symmetric key by brute force.

这大约是用蛮力破解80位对称密钥所需的操作数。

Thus, for protecting data that has a secrecy requirement of one year against an incredibly rich attacker, a key exchange modulus with about 1200 bits protecting an 80-bit symmetric key is safe even against a nation's resources.

因此,为了保护具有一年保密要求的数据免受极其丰富的攻击者的攻击,一个大约1200位的密钥交换模数保护一个80位对称密钥,即使是针对一个国家的资源,也是安全的。

4.4. Key equivalence for other ciphers
4.4. 其他密码的密钥等价性

Extending this logic to the AES is straightforward. For purposes of estimation for key searching, one can think of the 128-bit AES as being at least 16 bits stronger than TripleDES but about three times

将此逻辑扩展到AES是很简单的。为了估计密钥搜索,我们可以认为128位AES至少比三倍AES强16位,但大约是三倍

as fast. The time and cost for a brute force attack is approximately 2^(16) more than for TripleDES, and thus, under the assumption that 128 bits of strength is the desired security goal, the recommended key exchange modulus size is about 700 bits longer.

同样快。蛮力攻击的时间和成本大约比三倍攻击多2^(16),因此,假设128位强度是所需的安全目标,建议的密钥交换模数大小大约长700位。

If it is possible to design hardware for AES cracking that is considerably more efficient than hardware for DES cracking, then (again under the assumption that the key exchange strength must match the brute force effort) the moduli for protecting the key exchange can be made smaller. However, the existence of such designs is only a matter of speculation at this early moment in the AES lifetime.

如果可以为AES破解设计比DES破解效率更高的硬件,那么(同样假设密钥交换强度必须与蛮力作用相匹配)保护密钥交换的模量可以更小。然而,在AES生命周期的早期,这种设计的存在只是一个推测的问题。

The AES ciphers have key sizes of 128 bits up to 256 bits. Should a prudent minimum security requirement, and thus the key exchange moduli, have similar strengths? The answer to this depends on whether or not one expect Moore's Law to continue unabated. If it continues, one would expect 128 bit keys to be safe for about 60 years, and 256 bit keys would be safe for another 400 years beyond that, far beyond any imaginable security requirement. But such progress is difficult to predict, as it exceeds the physical capabilities of today's devices and would imply the existence of logic technologies that are unknown or infeasible today. Quantum computing is a candidate, but too little is known today to make confident predictions about its applicability to cryptography (which itself might change over the next 100 years!).

AES密码的密钥大小为128位到256位。谨慎的最低安全要求,以及密钥交换模块,是否应该具有类似的优势?这一问题的答案取决于人们是否期望摩尔定律继续保持不变。如果这种情况继续下去,人们预计128位密钥可以安全使用大约60年,256位密钥可以安全使用400年,远远超过任何可以想象的安全要求。但这样的进步很难预测,因为它超过了当今设备的物理能力,并意味着存在着今天未知或不可行的逻辑技术。量子计算是一个候选者,但如今人们对它的了解太少,无法对它在密码学中的适用性做出自信的预测(密码学本身可能在未来100年内发生变化!)。

If Moore's Law does not continue to hold, if no new computational paradigms emerge, then keys of over 100 bits in length might well be safe "forever". Note, however that others have come up with estimates based on assumptions of new computational paradigms emerging. For example, Lenstra and Verheul's web-based paper "Selecting Cryptographic Key Sizes" chooses a more conservative analysis than the one in this document.

如果摩尔定律不再成立,如果没有新的计算范式出现,那么长度超过100位的密钥可能“永远”安全。然而,请注意,其他人根据新出现的计算范式的假设提出了估计。例如,Lenstra和Verheul基于web的论文“选择加密密钥大小”选择了比本文中更保守的分析。

4.5. Hash functions for deriving symmetric keys from public key algorithms

4.5. 用于从公钥算法导出对称密钥的哈希函数

The Diffie-Hellman algorithm results in a key that is hundreds or thousands of bits long, but ciphers need far fewer bits than that. How can one distill a long key down to a short one without losing strength?

Diffie-Hellman算法产生的密钥长度为数百或数千位,但密码所需的位远少于此长度。一个人怎样才能在不失去力量的情况下把一把长钥匙提取成一把短钥匙呢?

Cryptographic one-way hash functions are the building blocks for this, and so long as they use all of the Diffie-Hellman key to derive each block of the symmetric key, they produce keys with sufficient strength.

加密单向散列函数是这方面的构建块,只要它们使用所有Diffie-Hellman密钥来派生对称密钥的每个块,它们就会生成具有足够强度的密钥。

The usual recommendation is to use a good one-way hash function applied to he base material (the result of the key exchange) and to use a subset of the hash function output for the key. However, if the desired key length is greater than the output of the hash function, one might wonder how to reconcile the two.

通常的建议是对基础材料(密钥交换的结果)使用良好的单向散列函数,并对密钥使用散列函数输出的子集。但是,如果所需的键长度大于散列函数的输出,人们可能想知道如何协调这两者。

The step of deriving extra key bits must satisfy these requirements:

导出额外密钥位的步骤必须满足以下要求:

- The bits must not reveal any information about the key exchange secret

- bits不得泄露有关密钥交换秘密的任何信息

- The bits must not be correlated with each other

- 这些位不得相互关联

- The bits must depend on all the bits of the key exchange secret

- 这些位必须依赖于密钥交换机密的所有位

Any good cryptographic hash function satisfies these three requirements. Note that the number of bits of output of the hash function is not specified. That is because even a hash function with a very short output can be iterated to produce more uncorrelated bits with just a little bit of care.

任何好的加密哈希函数都满足这三个要求。请注意,未指定哈希函数输出的位数。这是因为,即使是输出非常短的哈希函数,只要稍微小心一点,也可以迭代生成更多的不相关位。

For example, SHA-1 has 160 bits of output. For deriving a key of attack resistance of 160 bits or less, SHA(DHkey) produces a good symmetric key.

例如,SHA-1有160位输出。为了导出抗攻击能力为160位或更少的密钥,SHA(DHkey)生成了一个良好的对称密钥。

Suppose one wants a key with attack resistance of 160 bits, but it is to be used with a cipher that uses 192 bit keys. One can iterate SHA-1 as follows:

假设有人想要一个抗攻击能力为160位的密钥,但它将与使用192位密钥的密码一起使用。可以如下迭代SHA-1:

      Bits 1-160   of the symmetric key = K1 = SHA(DHkey | 0x00)
                   (that is, concatenate a single octet of value 0x00 to
                   the right side of the DHkey, and then hash)
      Bits 161-192 of the symmetric key = K2 =
                   select_32_bits(SHA(K1 | 0x01))
        
      Bits 1-160   of the symmetric key = K1 = SHA(DHkey | 0x00)
                   (that is, concatenate a single octet of value 0x00 to
                   the right side of the DHkey, and then hash)
      Bits 161-192 of the symmetric key = K2 =
                   select_32_bits(SHA(K1 | 0x01))
        

But what if one wants 192 bits of strength for the cipher? Then the appropriate calculation is

但是如果一个人想要192比特的密码强度呢?然后进行适当的计算

      Bits 1-160   of the symmetric key = SHA(0x00 | DHkey)
      Bits 161-192 of the symmetric key =
                   select_32_bits(SHA(0x01 | DHkey))
        
      Bits 1-160   of the symmetric key = SHA(0x00 | DHkey)
      Bits 161-192 of the symmetric key =
                   select_32_bits(SHA(0x01 | DHkey))
        

(Note that in the description above, instead of concatenating a full octet, concatenating a single bit would also be sufficient.)

(注意,在上面的描述中,连接一个位也就足够了,而不是连接一个完整的八位字节。)

The important distinction is that in the second case, the DH key is used for each part of the symmetric key. This assures that entropy of the DH key is not lost by iteration of the hash function over the same bits.

重要的区别在于,在第二种情况下,DH密钥用于对称密钥的每个部分。这确保DH密钥的熵不会因哈希函数在相同比特上的迭代而丢失。

From an efficiency point of view, if the symmetric key must have a great deal of entropy, it is probably best to use a cryptographic hash function with a large output block (192 bits or more), rather than iterating a smaller one.

从效率的角度来看,如果对称密钥必须具有大量的熵,那么最好使用具有较大输出块(192位或更多)的加密哈希函数,而不是迭代较小的输出块。

Newer hash algorithms with longer output (such as SHA-256, SHA-384, and SHA-512) can be used with the same level of security as the stretching algorithm described above.

具有较长输出的较新散列算法(如SHA-256、SHA-384和SHA-512)可以使用与上述拉伸算法相同级别的安全性。

4.6. Importance of randomness
4.6. 随机性的重要性

Some of the calculations described in this document require random inputs; for example, the secret Diffie-Hellman exponents must be chosen based on n truly random bits (where n is the system security requirement). The number of truly random bits is extremely important to determining the strength of the output of the calculations. Using truly random numbers is often overlooked, and many security applications have been significantly weakened by using insufficient random inputs. A much more complete description of the importance of random numbers can be found in [ECS].

本文件中描述的一些计算需要随机输入;例如,机密Diffie-Hellman指数必须基于n个真正随机的位(其中n是系统安全要求)来选择。真正随机位的数量对于确定计算输出的强度非常重要。使用真正的随机数常常被忽视,许多安全应用程序由于使用不充分的随机输入而大大削弱。有关随机数重要性的更完整描述,请参见[ECS]。

5. Conclusion
5. 结论

In this table it is assumed that attackers use general purpose computers, that the hardware is purchased in the year 2000, and that mathematical knowledge relevant to the problem remains the same as today. This is an pure "apples-to-apples" comparison demonstrating how the time for a key exchange scales with respect to the strength requirement. The subgroup size for DSA is included, if that is being used for supporting authentication as part of the protocol; the DSA modulus must be as long as the DH modulus, but the size of the "q" subgroup is also relevant.

在该表中,假设攻击者使用通用计算机,硬件是在2000年购买的,与问题相关的数学知识与今天相同。这是一个纯粹的“苹果对苹果”比较,展示了密钥交换的时间是如何根据强度要求进行缩放的。如果DSA用于支持作为协议一部分的身份验证,则包含DSA的子组大小;DSA模数必须与DH模数一样长,但“q”子组的大小也相关。

   +-------------+-----------+--------------+--------------+
   | System      |           |              |              |
   | requirement | Symmetric | RSA or DH    | DSA subgroup |
   | for attack  | key size  | modulus size | size         |
   | resistance  | (bits)    | (bits)       | (bits)       |
   | (bits)      |           |              |              |
   +-------------+-----------+--------------+--------------+
   |     70      |     70    |      947     |     129      |
   |     80      |     80    |     1228     |     148      |
   |     90      |     90    |     1553     |     167      |
   |    100      |    100    |     1926     |     186      |
   |    150      |    150    |     4575     |     284      |
   |    200      |    200    |     8719     |     383      |
   |    250      |    250    |    14596     |     482      |
   +-------------+-----------+--------------+--------------+
        
   +-------------+-----------+--------------+--------------+
   | System      |           |              |              |
   | requirement | Symmetric | RSA or DH    | DSA subgroup |
   | for attack  | key size  | modulus size | size         |
   | resistance  | (bits)    | (bits)       | (bits)       |
   | (bits)      |           |              |              |
   +-------------+-----------+--------------+--------------+
   |     70      |     70    |      947     |     129      |
   |     80      |     80    |     1228     |     148      |
   |     90      |     90    |     1553     |     167      |
   |    100      |    100    |     1926     |     186      |
   |    150      |    150    |     4575     |     284      |
   |    200      |    200    |     8719     |     383      |
   |    250      |    250    |    14596     |     482      |
   +-------------+-----------+--------------+--------------+
        
5.1. TWIRL Correction
5.1. 旋转校正

If the TWIRL machine becomes a reality, and if there are advances in parallelism for row reduction in factoring, then conservative estimates would subtract about 11 bits from the system security column of the table. Thus, in order to get 89 bits of security, one would need an RSA modulus of about 1900 bits.

如果TWIRL机器成为现实,并且如果因子分解中行减少的并行性有所提高,那么保守估计将从表的系统安全列中减去大约11位。因此,为了获得89位的安全性,需要大约1900位的RSA模。

6. Security Considerations
6. 安全考虑

The equations and values given in this document are meant to be as accurate as possible, based on the state of the art in general purpose computers at the time that this document is being written. No predictions can be completely accurate, and the formulas given here are not meant to be definitive statements of fact about cryptographic strengths. For example, some of the empirical results used in calibrating the formulas in this document are probably not completely accurate, and this inaccuracy affects the estimates. It is the authors' hope that the numbers presented here vary from real world experience as little as possible.

根据编写本文件时通用计算机的最新技术,本文件中给出的方程式和数值应尽可能精确。任何预测都不可能完全准确,这里给出的公式也不是关于密码强度的决定性事实陈述。例如,本文件中校准公式时使用的一些经验结果可能不完全准确,这种不准确会影响估计。作者希望这里给出的数字尽可能少地与现实世界的经验不同。

7. References
7. 工具书类
7.1. Informational References
7.1. 参考资料

[DL] Dodson, B. and A. K. Lenstra, NFS with four large primes: an explosive experiment, Proceedings Crypto 95, Lecture Notes in Comput. Sci. 963, (1995) 372-385.

[DL]Dodson,B.和A.K.Lenstra,《具有四个大素数的NFS:爆炸性实验》,《加密程序95》,计算机课堂讲稿。Sci。963, (1995) 372-385.

[ECS] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.

[ECS]Eastlake,D.,Crocker,S.和J.Schiller,“安全性的随机性建议”,RFC 1750,1994年12月。

[GIL98] Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design , Electronic Frontier Foundation, John Gilmore (Ed.), 272 pages, May 1998, O'Reilly & Associates; ISBN: 1565925203

[GI98]破解DES:加密研究的秘密,窃听政治和芯片设计,电子前沿基金会,John Gilmore(ED),272页,1998年5月,O'ReLy&Associates;国际标准书号:1565925203

[GOR93] Gordon, D., "Discrete logarithms in GF(p) using the number field sieve", SIAM Journal on Discrete Mathematics, 6 (1993), 124-138.

[GOR93]Gordon,D.,“使用数字域筛的GF(p)中的离散对数”,暹罗离散数学杂志,6(1993),124-138。

[LEN93] Lenstra, A. K. and H. W. Lenstra, Jr. (eds), The development of the number field sieve, Lecture Notes in Math, 1554, Springer Verlag, Berlin, 1993.

[LEN93]Lenstra,A.K.和H.W.Lenstra,Jr.(编辑部),《数域筛的发展》,数学课堂讲稿,1554年,柏林斯普林格·维拉格,1993年。

[MH81] Merkle, R.C., and Hellman, M., "On the Security of Multiple Encryption", Communications of the ACM, v. 24 n. 7, 1981, pp. 465-467.

[MH81]Merkle,R.C.和Hellman,M.,“多重加密的安全性”,ACM通信,v。24 n。1981年7月,第465-467页。

[ODL95] RSA Labs Cryptobytes, Volume 1, No. 2 - Summer 1995; The Future of Integer Factorization, A. M. Odlyzko

[ODL95]RSA实验室Cryptobytes,第1卷,第2期——1995年夏季;整数分解的未来,A.M.Odlyzko

[ODL99] A. M. Odlyzko, Discrete logarithms: The past and the future, Designs, Codes, and Cryptography (1999).

[ODL99]A.M.Odlyzko,离散对数:过去和未来,设计,代码和密码学(1999)。

[POL78] J. Pollard, "Monte Carlo methods for index computation mod p", Mathematics of Computation, 32 (1978), 918-924.

[POL78]J.Pollard,“指数计算mod p的蒙特卡罗方法”,计算数学,32(1978),918-924。

[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.

[RFC2409]Harkins,D.和D.Carrel,“互联网密钥交换(IKE)”,RFC 2409,1998年11月。

[SCH95] R. Schroeppel, et al., Fast Key Exchange With Elliptic Curve Systems, In Don Coppersmith, editor, Advances in Cryptology -- CRYPTO 31 August 1995. Springer-Verlag

[SCH95]R.Schroeppel,et al.,椭圆曲线系统的快速密钥交换,载于Don Coppersmith,编者,《密码学进展——加密》,1995年8月31日。斯普林格·维拉格

[SHAMIR03] Shamir, Adi and Eran Tromer, "Factoring Large Numbers with the TWIRL Device", Advances in Cryptology - CRYPTO 2003, Springer, Lecture Notes in Computer Science 2729.

[SHAMIR03]Shamir,Adi和Eran Tromer,“利用旋转装置分解大数”,密码学进展-加密2003,Springer,计算机科学讲稿2729。

[SIL00] R. D. Silverman, RSA Laboratories Bulletin, Number 13 - April 2000, A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths

[SIL00]R.D.Silverman,RSA实验室公报,第13号,2000年4月,对称和非对称密钥长度的基于成本的安全分析

[SILIEEE99] R. D. Silverman, "The Mythical MIPS Year", IEEE Computer, August 1999.

[SILIEEE99]R.D.Silverman,“神秘的MIPS年”,IEEE计算机,1999年8月。

8. Authors' Addresses
8. 作者地址

Hilarie Orman Purple Streak Development 500 S. Maple Dr. Salem, UT 84653

Hilarie Orman紫色条纹发展500 S.Maple Salem博士,UT 84653

   EMail: hilarie@purplestreak.com and ho@alum.mit.edu
        
   EMail: hilarie@purplestreak.com and ho@alum.mit.edu
        

Paul Hoffman VPN Consortium 127 Segre Place Santa Cruz, CA 95060 USA

美国加利福尼亚州圣克鲁斯塞格雷广场127号保罗·霍夫曼VPN联盟,邮编95060

   EMail: paul.hoffman@vpnc.org
        
   EMail: paul.hoffman@vpnc.org
        
9. Full Copyright Statement
9. 完整版权声明

Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。