Yes, excessive paranoia is inefficient. For example, assuming that NSA is godlike could lead people to choose 4K-bit RSA keys, with the associated penalty, when 700 bits or so would be plenty for the near term. However, a successful cryptographer must be cautious at a level that would be judged paranoid in more civilized communities. A trusting cryptographer would accept arguments about how many more keys this new system will accept than there are atoms in the universe (like simple substitution, for example, which allows for 26! different keys). A non-paranoid user of PGP would use a shared UNIX system for all business, since only trusted users and the very rare cracker have access to that system. A non-paranoid cryptographer would put her password into her autoexec.bat file. If you need cryptography, it's because you have enemies. In a world of sweetness and light, it doesn't matter if everybody knows everything about you, because they won't take advantage of that knowledge. In the real world, your data and identity have value, and people may be willing to expend resources to acquire some of that value. You need to estimate how much exclusive use of your data is worth to you, how much your hypothetical enemies are willing to spend to get access to that data, and how cheaply you can defend against that attack. It's been observed that a good programmer will look both ways when crossing to a one-way street. I'll observe that a good cryptographer will not only look both ways, but will also look up and down. Jim Gillogly Trewesday, 23 Thrimidge S.R. 1994, 23:05