On Mon, Oct 19, 2015 at 10:59 PM, Michael Hamburg <m...@shiftleft.org> wrote: > > > There isn’t any concern that Curve25519 might get broken, unless of course > someone manages to build a quantum computer. DJB’s security estimate still > holds. >
I presume, though, that the construction of a quantum computer would have catastrophic effects on pretty much all crypto primitives, independent of the bit size, except those designed to be post-quantum secure (such as the ideal lattice crypto I've seen discussed recently). I don’t expect that the 448 prime would resist future attacks any better > than 2^255-19, except by being larger. > Alright so it's just a time trade-off situation: if computers get faster, or a faster-than-brute-force method is developed, low bit sizes could be compromised. DES->3DES story, among others. I've read places that Curve25519 is "equivalent to 3072bit RSA", whatever that means. But considering 2048bit RSA is still considered very much acceptable, this alleged "3072bit" number still offers some margin. On the other hand, the scope of hypothetical future attacks is boundless. So how does one make a decision here? How does one *choose* and *act* based on hypotheticals? I am a mere programmer, not an army general or a politician, and am thus entirely unable to reason on that basis. Single file implementation at > WOW! Awesome Mike -- that was so ridiculously fast. Thank you. I will definitely play around with this.
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves