# let the flaming begin or Factoring Breakthrough?

**Werner Koch
**
wk@gnupg.org

*Thu Feb 28 09:25:01 2002*

On Thu, 28 Feb 2002 00:29:27 +0100, Ingo Klöcker said:
>* indeed be drastically reduced. The only problem is that this machine
*>* doesn't exist yet. Of course the NSA could easily built such a machine.
*
Don't over estimate the power of the NSA. The paper talks about a
hypothetical machine; with current technology it is not possible to
build such a box.
>* enough. New RSA keys should IMO nevertheless have at least 2048 bits.
*
Nonsense. There a lot of far out weaker points you can qattack in a
real world scenario. No non-academic attacker would try to mount a
factoring attack.
Let's give Bernstein the last word on this:
http://groups.google.com/groups?hl=en&selm=2002Jan1608.53.39.5497%40cr.yp.to
From: D. J. Bernstein (djb@cr.yp.to)
Subject: Re: Strength of PGP vs SSL
Newsgroups: comp.security.pgp.discuss, sci.crypt, alt.security.pgp
Date: 2002-01-16 01:00:11 PST
Protecting against the http://cr.yp.to/papers.html#nfscircuit speedup
means switching from n-bit keys to f(n)-bit keys. I'd like to emphasize
that, at this point, very little is known about the function f. It's
clear that f(n) is approximately (3.009...)n for _very large_ sizes n,
but I don't know whether f(n) is larger than n for _useful_ sizes n.
I'd also like to emphasize that special-purpose hardware is useful for
much more than factorization. In fact, it's much easier to reduce cost
this way for secret-key cryptanalysis or elliptic-curve discrete log
than for factorization.
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus