On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote:

> Moore's law helped immensely here. In the last 5 years systems have gotten 
> about 8 times faster, reducing the processing cost of crypto a lot. 

> The big drawback is that those who want to follow NIST's recommendations 
> to migrate to 2048-bit keys will be returning to the 2005-era overhead. 
> Either way, that's back in line with the above stated 90-95% overhead. 
> Meaning, in Dan's words "2048 ain't happening." 

I'm under the impression that <2048 keys are now insecure mostly due 
to advances in factoring algorithms that make the attack and the
encryption effort closer to, but by no means identical to, scaling 
with the same function of key length.  This makes the asymmetric 
cipher have a lower ratio of attack cost to encryption cost at any given
key length, but larger key lengths still yield *much* higher ratios of 
attack cost to encryption cost.  

At 2048 bits, I think that with Moore's law over the next decade or two
dropping attack costs and encryption costs by the same factor, attack
costs should remain comfortably out of reach while encryption costs
return to current levels now practical for shorter keys. 

Of course, this reckons without the potential for unforseen advances 
in factoring or Quantum computing.

> There are some possibilities, my co-workers and I have discussed. For 
> purely internal systems TLS-PSK (RFC 4279) provides symmetric
> encryption through pre-shared keys which provides us with whitelisting
> as well as removing asymmetric crypto. 

That's probably a good idea. We've placed a lot of stock in public-
key systems because of some neat mathematical properties that seemed to 
conform to someone's needs for an online business model involving the
introduction of strangers who want to do business with each other.  But
if you can handle key distribution internally by walking down the hall
or mailing a CD-ROM preloaded with keys instead of by trusting the
network the keys are supposed to secure, you really don't need
Public-key crypto's neat mathematical properties.  


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to