Eric Rescola [ER] replied to Eugene Leitl [EL]: ... > > EL: > > Personally, I no longer trust RSA for long term security. > > > > This is public-key crypto, not symmetric, so a break of your RSA key > > means that all your encrypted traffic becomes readable rather than > > just one message. E.g., if a few years ago you used 512-bit RSA to > > encrypt a will that was not to be read by anybody until you die, > > that's tough because it could be read today. Doesn't matter that you > > moved to 768 bits and then 1024 in the meantime. > If you care about Perfect Forward Secrecy, you shouldn't be using > RSA at all. You should be using DH with a fresh key for each > exchange. The probability that in the next 50 years your key will > be compromised in some other way than factoring is sufficiently > high to motivate this tactic. (In my view, it's vastly higher > than that of your key being broken by factoring).
Correct... and furthermore - this only dealt with transmitting the encrypted (and signed?) will, presumably to a trusted lawyer (or other trusted party). I would also be more concerned about the risk that the lawyer/party will be corrupted (by software or otherwise...) within the 50 years. Again the solution has nothing to do with ECC vs. RSA... This is a bit besides the original debate but let me quickly recall the three main techniques I know of protecting such a long-lasting secret data: -- Tamper-resistant hardware -- Splitting the data (or a strong symmetric key with which the data is encrypted) among several secure storage units (secret sharing) -- The same, but proactively re-hashing the shares periodically, so that an attacker must collect all shares during the same period (proactive secret sharing). Regards, Amir Herzberg See http://amir.beesites.co.il/book.html for lectures and draft-chapters from `secure communication and commerce using cryptography`; feedback welcome! --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
