Previously I said about one-time pads: "High security, high cost." (Well, not exactly that...) I invoked it then in order to argue that I personally didn't need to use one-time pads. Implicit also in that statement is the claim that when the worth of security is high, the cost may be relatively cheap. George and I agree on this point. When you are fighting a military battle, when you have a government pissed off at you in a serious way, you need as good as you can get. Since you can get perfect end-to-end link encryption, you use it. All cryptography is economics. Repeat after me. All cryptography is economics. I don't need one-time pads. Sendero Luminoso does. It's as easy as that. It's merely a matter of scale. Large scale, high security. Small scale, pretty good security. Re: Mathematical breakthroughs. George missed my main point here. We don't know whether factoring is "fundamentally hard." (Project your own definition here.) We should not assume that when the breakthrough comes, that is will be found "easy." It may be that factoring is hard, and that RSA is secure for that reason. (The astute reader will see that these two are not exactly the same question.) My current thinking is that factoring is hard because of various randomness properties of primes, that in fact multiplying one large prime by another is like encrypting one prime with the other as a one-time pad! But I'm no number theorist. I do, however, agree with "caution in the face of an unknown." And for high stakes, George's "irrational caution" is not irrational at all. Re: Relative security. It seems I had an editing error. What I meant to say (paraphrased) was the following. Perfect security is not worth the cost when the marginal cost of perfect security is more than the marginal benefits of such security. This encompasses both the high end and the low end. I don't need one-time pads. Abu Nidal does. Repeat after me. Cryptography is all economics. Eric