RSA or DSA? That's the question
Robert J. Hansen
rjh at sixdemonbag.org
Thu Sep 6 14:26:19 CEST 2007
Werner Koch wrote:
> that does not mean you or anyone in the world is able to break it now
> or in the next couple of years.
While I agree that a cryppie's definition of "break" is not the same as
a practical break, I think it's dangerous to make predictions about how
long it takes a cryptographic break to turn into a practical break.
E.g., it took MD5 almost a decade to go from a purely academic break to
an actual collision, but it took SHA-1 under a year.
> Even if it is finally breakable the cost for attacking one key will
> be enormous and thus this threat needs to be balanced with the value
> of the key.
I don't feel comfortable making predictions about how much an unknown
future attack will cost. Take the SHA-1 results as an example: using
the original Shengdong U. paper it takes a work factor of 2**69 to
generate a random collision, but just a few weeks later it was down to
2**63. That's a 98.4% cost savings.
More information about the Gnupg-users