I'd just like to make a few comments about the apparently unnoticed or unstated conflicts of interest and bias in the analysis surrounding Bernstein's proposal.
The following is not intended to trample on anyone's ego -- but I think deserves saying. - I'm not sure any of the respondents so far except Bernstein have truly understood the math -- there are probably few who do, factoring being such a narrow research area. - Dan Bernstein stated that it is not easy to estimate the constants involved to know whether the asymptotic result affects currently used key sizes; he stated that the conclusion should be considered unknown until experimental evidence is gained. - Nicko van Someren -- the person credited with originally making the exaggerated, or at least highly worst case interpretation at the FC02 panel -- has a conflict interest -- hardware accelerator gear that ncipher sell will be more markedly needed if people switch to 2048 or larger keys. Nicko has made no public comments in the resulting discussion. - Ian Goldberg also on the panel quickly distanced himself from van Someren's claim, as Lucky's earlier mail could have been read to imply Goldberg had also agreed with van Someren's claim. - RSA's FAQ down playing the result seems relatively balanced though they have an incentive to downplay the potential of Bernstein's approach. They have a history of producing biased FAQs: for example previously the ECC FAQ where they compared ECC unfavorably to RSA. The FAQ was removed after they licensed tech from certicom and included ECC in BSAFE. - Bob Silverman, former RSA factoring expert, observes on sci.crypt, quote: > At this point, there is noone left at RSA Labs who has the expertise > or knowledge to judge Bernstein's work. - Bruce Schneier's somewhat downplaying comments, as far as I know Bruce isn't an expert on factoring and he doesn't credit anyone who is in his report. Bruce's comments lately seem to have lost much of their earlier objectivity -- many of his security newsletters lately seem to contain healthy doses of adverts for counterpane's managed security offering, and calls for lobbying and laws requiring companies to use such products for insurance eligibility. - Lucky on the other hand suggested a practical security engineering approach to start to plan for possibility of migrating to larger key sizes. Already one SSH implementation added a configuration option to select a minimum key size accepted by servers as a result. This seems like a positive outcome. Generally the suggestion to move to 2048 bit keys seems like a good idea to me. Somewhat like MD5 -> SHA1, MD5 isn't broken for most applications but it is potentially tainted by a partial result. Similarly I would concur with Lucky that it's prudent security engineering to use 2048 bit keys in new systems. Historically for example PGP has had similar migrations from minimum listed key sizes for casual use from 512 -> 768 -> 1024 over the years. The progression to 2048 is probably not a bad idea given current entry level computer speeds and possibility of Bernstein's approach yeilding an improvement in factoring. The mocking tone of recent posts about Lucky's call seems quite misplaced given the checkered bias and questionable authority of the above conflicting claims we've seen quoted. Adam -- http://www.cypherspace.org/adam/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]