I think Adam's already covered the red herring of key length. You can use 4-billion-bit keys and it won't help prevent an attack based on stealing secret keys. Ed Carp hit the nail on the head when he wrote:
What is needed is better human management of keys. Why brute-force, why look for weak keys, why bother calculating how much safer 2047-bit keys are rather than 1024-bit keys when someone can look on your HD and find your secret key, when they can open your desk drawer and find your pass phrase or password, when they can guess that you used your wife's maiden name as your password?
What some people seem to miss is that, in the absence of hardware keys (which I believe is the only workable long term solution for mass-market cryptography), this sort of thing is just plain too easy. If a Windows cryptoprogram stores its secret keys in a known location, I can write a Windows virus that flies through the net and steals zillions. If the program insists on making the users insert a floppy every time, the program's perceived usability will go through the floor, and people will find workarounds. In any event, I could write a virus that sits in front of the e-cash program and steals your keys when next you run the e-cash program. Software's just too easy to fool. That's why I regard the risk of catastrophe as being fairly large in software-based e-cash schemes. Jim, I never denied that some banks would be willing to take the risk (in fact, read my post, I said just the opposite). What I said was that the assumption of the risk would carry a significant underwriting cost, which would be, in essence, the "cost of anonymity" when comparing payment systems. Finally Jim writes:
Your arguments seem to only be qualitative, not quantitative. Maybe that's why the other guy calls them "FUD."
I'm saying that there will be a high underwriting cost for anonymous cash, and that this will make it much more expensive than non-anonymous payment systems. To my mind, that's a discussion about quantity of costs, not quality. If you want me to give you numbers, I'm sorry, but I can't -- I'm not a banker or an actuary, and a lot of leg work would be required to come up with a precise number in any event. If I were a banker, however, I think I'd be too conservative to underwrite e-cash at any price, and would suggest that you find a less risk-averse banker. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> | (Tense Hot Alien In Barn) Chief Scientist, First Virtual Holdings | VIRTUAL YELLOW RIBBON: FAQ & PGP key: nsb+faq@nsb.fv.com | http://www.netresponse.com/zldf