At 11:49 AM -0800 2/25/02, bear wrote: >... >The "secure forever" level of difficulty that we used to believe >we got from 2kbit keys in RSA is apparently a property of 6kbit >keys and higher, barring further highly-unexpected discoveries.
Highly-unexpected? All of public key cryptography is build on unproven mathematical assumptions. Why should this be the last breakthrough? If you plot the curve of what key length was considered long enough as a function of time, it doesn't look very good. Perhaps it is time to stop claiming "secure forever" altogether until solid mathematical proofs of security are available. >... >I predict that Elliptic-Curve systems are about to become more >popular. > I'm not completely comfortable with Elliptic-Curve systems. The mathematics is relatively young and has seen a lot of progress. Yet typical EC key length recommendations are based on the assumption that there is no way to calculate discrete logs in EC groups that is any faster than the general algorithm that applies to all finite groups. That sounds pretty aggressive to me. If we are going to have to upgrade OpenPGP standards in light of the Bernstein paper, I would suggest a standard that combines RSA, EC and, if possible, a third PK system whose algorithm is based on an apparently independent problem. The advantage of double or triple encryption is that a breakthrough in one problem area does not immediately compromise all your previously encrypted data. And you can upgrade the component key in question and distribute it signed with the old key, without have to start from scratch in establishing trust. Most personal computers are capable of this level of security. Why settle for less? Arnold Reinhold --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
