RSA or DSA? That's the question

Robert J. Hansen rjh at
Thu Sep 6 14:26:19 CEST 2007

Werner Koch wrote:
> that does not mean you or anyone in the world is able to break it now
> or in the next couple of years.

While I agree that a cryppie's definition of "break" is not the same as
a practical break, I think it's dangerous to make predictions about how
long it takes a cryptographic break to turn into a practical break.
E.g., it took MD5 almost a decade to go from a purely academic break to
an actual collision, but it took SHA-1 under a year.

> Even if it is finally breakable the cost for attacking one key will
> be enormous and thus this threat needs to be balanced with the value
> of the key.

I don't feel comfortable making predictions about how much an unknown
future attack will cost.  Take the SHA-1 results as an example: using
the original Shengdong U. paper it takes a work factor of 2**69 to
generate a random collision, but just a few weeks later it was down to
2**63.  That's a 98.4% cost savings.

More information about the Gnupg-users mailing list