I got quite a few useful comments on the key comparison summary I
posted earlier. Even some people said they found it useful. Mark
Grant improved the readability, plus other suggestions. Peter Trei
urged me to actually re-read the Wiener paper to quote the figures
correctly rather than from memory. Also Peter raised issues to do
with how to compare hardness to break DES against 512 bit RSA. There
is now an aside more technical note explaining the issues. I think I
stand by my original comparison of "roughly equal", because depending
on how you view it, it'll come out 10x cheaper, or 10x harder.
(Memory being one hurdle each participating workstation needing of the
order of 128 Mb; the other hurdle being the existance of a machine
large enough to reduce the matrix which results from all the
relations).
I don't think we can explain it any more technically and expect it to
be useful to a journalist. We need a gross generalisation: is it
approx as hard, is it 100x harder. They don't want to hear about
space complexity, the matrix reduction phase (RSA) nor known plaintext
memory trade offs (DES). If we don't supply the gross generalisation,
they will do it themselves to make it palatable for their readers.
With less understanding of the subject, their generalisation is likely
to be even wildly inaccurate than the generous error bars on ours.
This is not an insult to journalists. Crypto is a technical,
complicated field. I wouldn't contemplate making estimates in other
peoples fields.
Further discussion of course still sought (rip it apart pessimists on
crypto estimates). Here's the new improved version.
Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0