[anon1df3@nyx10.cs.du.edu: Re: PGP 2.5]
|> Another RSAREF limitation is that it cannot cope with keys longer than |> 1024 bits. Projecting current progress in factoring, how long will 1024-bit keys be secure against something like NSA? Is it the case that by standarizing on 1024-bit keys for the forseeable future, are we merely providing a window of opportunity for cryptopunks which will work fine for awhile but which will slam shut forever once the NSA becomes able (as a result of vast computer power, if nothing else) to routinely factor numbers this large, maybe in about 2150 or so? Remember people thought RSA-129 would take a long time. Cypherpunks write code that will remain secure for a long, long time I hope. Standardizing on RSAREF might, in the very long run, eventually have the same crippling effect that standarizing on clipper could have in the short to intermediate term. If people become complacent about this limitation, it could become institutionalized. If everybody uses PGP 2.5 for the next hundred years, what happens then? If the public PGP depends on RSAREF whose evolution is controlled by RSA, and if eventually a new version comes out which is incompatible with the older versions, and for which source code isn't as readily available, and the world standardizes on it, and it isn't interoperable with older versions, then we lose control, even if we now distribute a version of PGP 2.5 with the key restriction removed. I would be happier if PGP 2.5 did not impose such a limit on key length. If we standardize on something with limitations, we have to remove them in the future. If we standarize on something without limitations, future generations don't have to worry about it. In addition to distributing crypto to the masses, we need to ensure that no infrastructure gets imposed which obviates our methods. I don't know if the 1024-bit key restriction will over time become an important limitation or not -- do you? A better question -- how long will it take? I don't think I'm being paranoid, I'm just curious about the details about what is known about just how hard factoring is, and how that corresponds to the exponential growth in technological capability, and where the crossover point lies for 1024-bit keys. Maybe I should just read the book instead of posting... (Naah!..) -- dat@ebt.com (David Taffs)
David Taffs writes:
Projecting current progress in factoring, how long will 1024-bit keys be secure against something like NSA?
Schneier has a good exposition of this in his book. It's worthwhile to do the calculations, even back-of-the-envelope. Assuming no surprise breakthroughs in factoring (in which case even 1200-1500 bit keys would fall, one would assume), a 1024-bit key is *vastly* stronger than a 384-bit key, which just consumed several thousand MIPS-years to break (to factor the modulus, of course).
Is it the case that by standarizing on 1024-bit keys for the forseeable future, are we merely providing a window of opportunity for cryptopunks which will work fine for awhile but which will slam shut forever once the NSA becomes able (as a result of vast computer power, if nothing else) to routinely factor numbers this large, maybe in about 2150 or so? Remember people thought RSA-129 would take a long time.
Recall that the RSA patents begin to expire in a few years and are completely expired by 2002. After that, the issue will be moot. And at the rate at which things are moving these days, I expect an MIT-RSADSI-blessed version of PGP--perhaps Version 3--to add features, increase key lengths, etc. I don't know any details of the MIT-RSADSI deal, but I think this PGP 2.5 deal is a GOOD THING, on the whole. It gives the national security apparatus no excuses for cracking down on PGP, vis-a-vis patent infringements (not that they enforce patents, but that was a cloud hanging over PGP), and probably makes the export of PGP for Zimmermann a non-issue. (Somebody will very quickly export PGP 2.5 to Europe, presumably by very untraceable means). As for generating a new key, I was planning to do so anyway...one ought to change one's key at least 0.5% as often as one change's one's underwear. (Awkwardly said, but you get the idea.) As there is not yet a Mac version, I'll have to wait a while.
in the short to intermediate term. If people become complacent about this limitation, it could become institutionalized. If everybody uses PGP 2.5 for the next hundred years, what happens then? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Not too likely. Not even the next _five_ years. By the time truly strong (last a couple of centuries) crypto is needed, for critical financial trusts and cryonic suspension sorts of things, this deal will help to make sure nothing can block the spread of strong crypto. A good thing. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
participants (2)
-
dat@ebt.com -
tcmay@netcom.com