let the flaming begin or Factoring Breakthrough?
Werner Koch
wk@gnupg.org
Thu Feb 28 09:25:01 2002
On Thu, 28 Feb 2002 00:29:27 +0100, Ingo Klöcker said:
> indeed be drastically reduced. The only problem is that this machine
> doesn't exist yet. Of course the NSA could easily built such a machine.
Don't over estimate the power of the NSA. The paper talks about a
hypothetical machine; with current technology it is not possible to
build such a box.
> enough. New RSA keys should IMO nevertheless have at least 2048 bits.
Nonsense. There a lot of far out weaker points you can qattack in a
real world scenario. No non-academic attacker would try to mount a
factoring attack.
Let's give Bernstein the last word on this:
http://groups.google.com/groups?hl=en&selm=2002Jan1608.53.39.5497%40cr.yp.to
From: D. J. Bernstein (djb@cr.yp.to)
Subject: Re: Strength of PGP vs SSL
Newsgroups: comp.security.pgp.discuss, sci.crypt, alt.security.pgp
Date: 2002-01-16 01:00:11 PST
Protecting against the http://cr.yp.to/papers.html#nfscircuit speedup
means switching from n-bit keys to f(n)-bit keys. I'd like to emphasize
that, at this point, very little is known about the function f. It's
clear that f(n) is approximately (3.009...)n for _very large_ sizes n,
but I don't know whether f(n) is larger than n for _useful_ sizes n.
I'd also like to emphasize that special-purpose hardware is useful for
much more than factorization. In fact, it's much easier to reduce cost
this way for secret-key cryptanalysis or elliptic-curve discrete log
than for factorization.
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus