let the flaming begin or Factoring Breakthrough?

Werner Koch wk@gnupg.org
Thu Feb 28 09:25:01 2002

On Thu, 28 Feb 2002 00:29:27 +0100, Ingo Klöcker said:

> indeed be drastically reduced. The only problem is that this machine 
> doesn't exist yet. Of course the NSA could easily built such a machine. 

Don't over estimate the power of the NSA.  The paper talks about a
hypothetical machine; with current technology it is not possible to
build such a box.

> enough. New RSA keys should IMO nevertheless have at least 2048 bits.

Nonsense.  There a lot of far out weaker points you can qattack in a
real world scenario.  No non-academic attacker would try to mount a
factoring attack.

Let's give Bernstein the last word on this:


    From: D. J. Bernstein (djb@cr.yp.to)
    Subject: Re: Strength of PGP vs SSL
    Newsgroups: comp.security.pgp.discuss, sci.crypt, alt.security.pgp
    Date: 2002-01-16 01:00:11 PST
   Protecting against the http://cr.yp.to/papers.html#nfscircuit speedup
   means switching from n-bit keys to f(n)-bit keys. I'd like to emphasize
   that, at this point, very little is known about the function f. It's
   clear that f(n) is approximately (3.009...)n for _very large_ sizes n,
   but I don't know whether f(n) is larger than n for _useful_ sizes n.
   I'd also like to emphasize that special-purpose hardware is useful for
   much more than factorization. In fact, it's much easier to reduce cost
   this way for secret-key cryptanalysis or elliptic-curve discrete log
   than for factorization.

Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus