David Taffs writes:
Projecting current progress in factoring, how long will 1024-bit keys be secure against something like NSA?
Schneier has a good exposition of this in his book. It's worthwhile to do the calculations, even back-of-the-envelope. Assuming no surprise breakthroughs in factoring (in which case even 1200-1500 bit keys would fall, one would assume), a 1024-bit key is *vastly* stronger than a 384-bit key, which just consumed several thousand MIPS-years to break (to factor the modulus, of course).
Is it the case that by standarizing on 1024-bit keys for the forseeable future, are we merely providing a window of opportunity for cryptopunks which will work fine for awhile but which will slam shut forever once the NSA becomes able (as a result of vast computer power, if nothing else) to routinely factor numbers this large, maybe in about 2150 or so? Remember people thought RSA-129 would take a long time.
Recall that the RSA patents begin to expire in a few years and are completely expired by 2002. After that, the issue will be moot. And at the rate at which things are moving these days, I expect an MIT-RSADSI-blessed version of PGP--perhaps Version 3--to add features, increase key lengths, etc. I don't know any details of the MIT-RSADSI deal, but I think this PGP 2.5 deal is a GOOD THING, on the whole. It gives the national security apparatus no excuses for cracking down on PGP, vis-a-vis patent infringements (not that they enforce patents, but that was a cloud hanging over PGP), and probably makes the export of PGP for Zimmermann a non-issue. (Somebody will very quickly export PGP 2.5 to Europe, presumably by very untraceable means). As for generating a new key, I was planning to do so anyway...one ought to change one's key at least 0.5% as often as one change's one's underwear. (Awkwardly said, but you get the idea.) As there is not yet a Mac version, I'll have to wait a while.
in the short to intermediate term. If people become complacent about this limitation, it could become institutionalized. If everybody uses PGP 2.5 for the next hundred years, what happens then? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Not too likely. Not even the next _five_ years. By the time truly strong (last a couple of centuries) crypto is needed, for critical financial trusts and cryonic suspension sorts of things, this deal will help to make sure nothing can block the spread of strong crypto. A good thing. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."