On Oct 14, 2009, at 7:54 PM, Perry E. Metzger wrote:
...We should also recognize that in cryptography, a small integer
safety
margin isn't good enough. If one estimates that a powerful opponent
could attack a 1024 bit RSA key in, say, two years, that's not even a
factor of 10 over 90 days, and people spending lots of money have a
good
record of squeezing out factors of 10 here and there. Finding an
exponential speedup in an algorithm is not something one can do, but
figuring out a process trick to remove a small constant is entirely
possible.
Meanwhile, of course, the 1024 bit "short term" keying system may
end up
staying in place far longer than we imagine -- things like this often
roll out and stay in place for a decade or two even when we imagine we
can get rid of them quickly.
As I read it, "short term" refers to the lifetime of the *key*, not
the lifetime of the *system*.
Do we really believe we won't be able to
attack a 1024 bit key with a sufficiently large budget even in 10
years? ...
Currently, the cryptographic cost of an attack is ... 0. How many
attacks have there been? Perhaps the perceived value of owning part
of DNS isn't as great as you think.
If the constraints elsewhere in the system limit the number of bits of
signature you can transfer, you're stuck. Presumably over time you'd
want to go to a more bit-efficient signature scheme, perhaps using
ECC. But as it is, the choice appears to be between (a) continuing
the current completely unprotected system and (b) *finally* rolling
out protection sufficient to block all but very well funded attacks
for a number of years.
Should we let the best be the enemy of the good here?
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com