Jerry Leichter <> writes:
>> Do we really believe we won't be able to
>> attack a 1024 bit key with a sufficiently large budget even in 10
>> years? ...
> Currently, the cryptographic cost of an attack is ... 0.  How many
> attacks have there been?  Perhaps the perceived value of owning part
> of DNS isn't as great as you think.

Actually, there are routine attacks on DNS infrastructure these days,
but clearly they're not cryptographic since that's not
deployed. However, a large part of the point of having DNSSEC is that we
can then trust the DNS to be accurate so we can insert things like
cryptographic keys into it. Once we've made the DNS trusted, we have the
problem that people will go off and trust it, you see.

I'm particularly concerned about the fact that it is difficult to a
priori analyze all of the use cases for DNSSEC and what the incentives
may be to attack them. If you can't analyze something, that's a warning
that you don't understand the implications. That makes me fear anything
that says "the key doesn't need to be more than strength X".

Sure, perhaps it is true that the expense of DNSSEC isn't worth it -- we
limp along without it now, as you point out -- but if that is true, what
do we gain by deploying a system which could be compromised in so
straightforward a way, with money being the only constraint? Why deploy
at all if we aren't going to be able to use it as we want? If we can't
trust the data very well, we've spent lots of time and money and gained

I'm doubly questioning because it seems pointless anyway -- the point of
the shorter keys is to avoid needing TCP connections to DNS servers, but
so far as I can tell that will end up becoming rapidly necessary anyway,
at which point one has to ask what one is gaining by lowering key length.

BTW, I've come across some (old) estimates from Shamir et all that
indicate a TWIRL machine that could break 1024 bit keys in a year would
have cost about $10M something like 5 years ago using a 90nm process. At
this point, with 32nm processes available, they'd be substantially
cheaper, and thus with a serious budget it seems like we're really quite
on the edge here.

Even $10M may now be enough to break them fast enough if you can come up
with a clever speedup of only a small factor, and I don't like trusting
security to the idea that no one with a large budget is clever enough to
find a small constant factor speedup. I presume that in another 10 years
we'll have a quite serious reduction in cost, which is yet worse. All in
all, that's too close for comfort, especially since I can see the point
in a Large Bad Actor spending orders of magnitude more on this than just

Perry E. Metzger      

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to