On Oct 14, 2009, at 7:54 PM, Perry E. Metzger wrote:
...We should also recognize that in cryptography, a small integer safety
margin isn't good enough. If one estimates that a powerful opponent
could attack a 1024 bit RSA key in, say, two years, that's not even a
factor of 10 over 90 days, and people spending lots of money have a good
record of squeezing out factors of 10 here and there. Finding an
exponential speedup in an algorithm is not something one can do, but
figuring out a process trick to remove a small constant is entirely

Meanwhile, of course, the 1024 bit "short term" keying system may end up
staying in place far longer than we imagine -- things like this often
roll out and stay in place for a decade or two even when we imagine we
can get rid of them quickly.
As I read it, "short term" refers to the lifetime of the *key*, not the lifetime of the *system*.

Do we really believe we won't be able to
attack a 1024 bit key with a sufficiently large budget even in 10 years? ...
Currently, the cryptographic cost of an attack is ... 0. How many attacks have there been? Perhaps the perceived value of owning part of DNS isn't as great as you think.

If the constraints elsewhere in the system limit the number of bits of signature you can transfer, you're stuck. Presumably over time you'd want to go to a more bit-efficient signature scheme, perhaps using ECC. But as it is, the choice appears to be between (a) continuing the current completely unprotected system and (b) *finally* rolling out protection sufficient to block all but very well funded attacks for a number of years.

Should we let the best be the enemy of the good here?

                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to