Paul Crowley writes: > Silverman is AFAICT the most knowledgeable person to have commented on > all this. He has no axe to grind, unless you count the inexcusably > unfair treatment he received from RSA. > > All of his sci.crypt comments are available with this search: > > http://groups.google.com/groups?q=bernstein+group:sci.crypt.*+author:amms716%40a > ol.com&filter=0 > > His off-the-cuff estimate of a good new recommended key size was 2048 bits.
Not so. His actual comment, from one of the three messages Google finds at the above URL, was: > If it is practical, it would mean that the minimum keysize for RSA keys > (and DSA keys) would need to be at least 2K bits. The question is, is it practical? At the time of that message, February 28, Silverman wrote: > I have only taken a quick look at the paper, but it does appear (on > the surface) to be doable. It does, of course, require building custom > hardware. I intend to read this paper carefully over the next week. Yet since then he has had no more substantive comment, just a couple of snide digs at RSA Labs. Surely Silverman is indeed as qualified as anyone to judge whether Bernstein's ideas have any practical value. Yet almost two months later he is apparently still unable to make a public judgement. The fact is, the jury is still completely out on whether Bernstein's ideas will reduce the cost of factoring 1024 bit keys. Bernstein doesn't say they will. Silverman doesn't say they will. In fact there almost seems to be an inverse correlation between how much people know about factoring and how much confidence they are willing to express that Bernstein's machine will work for keys of this size. The main people who have publically declared that Bernstein's machine is a practical threat are Ray Dillinger, Nicko van Someren, Lucky Green, and Joseph Ashwood, Since then Nicko van Someren has characterized his comment as an estimate he came up with on the spot that he later found was off by a factor of 100 billion. Lucky Green relied on Nicko van Someren's estimate. So far no one who has claimed the machine to be practical has offered the barest, sketchiest ghost of a design! The most elementary, simple, basic parameter which drives the design of such a machine is the size of the factor base (or bases). If they would just tell us how big the factor base was they assumed, how many processing elements were are involved in the matrix solution phase, and what clock speed they are assuming, that would basically define that half of the design. If they then indicated what algorithm they were assuming for the "sieving" phase, how many processors and what clock speed, that would define the other half. Specifying these few parameters would allow a wide range of reviewers to at least sanity-check the claims. It should be a minimal requirement for anyone who wants to claim that the Bernstein machine is a practical threat to at least tell us the factor base size they are assuming. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]