Samuel Neves wrote:

> If an attacker creating a special-purpose machine to break your keys is
> a realistic scenario, why are you even considering keys of that size?

What's the threat model?

If the set of possible actors includes first world SIGINT agencies, then yes, 
it is a reasonable assumption that a special configuration of system has been 
created to factor keys.  Think IBM or pre-acquisition SGI or pre-acquisition 
Sun as a supplier of such hardware, scaled up way beyond the configurations 
you'd get in the marketing literature (tens of thousands of cores, terabytes of 
physical RAM, low-range nine-figure price tags).

But as such an attack would likely cost millions of dollars per key, because 
the time to solution would be weeks or even months, then they'll only be using 
it as a last resort.  As Peter correctly pointed out, there are so many other 
viable threat vectors which are available, especially human-in-the-loop ones, 
which would likely be exhausted before that solution was tried.

For non-government level attacks, I agree that such a scenario is unrealistic.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to