Re: Crypto-smart-card startup Inside Technologies
-----BEGIN PGP SIGNED MESSAGE----- At 09:41 PM 1/31/96 -0800, Peter Monta wrote:
jim bell <jimbell@pacifier.com> writes:
[ Inside Technologies ] ..."In public-key cryptography, 512-bit keys are typical and already vulnerable. So we are looking at 640-bit-long keys supported by a scalable design."
This kind of thing disgusts me. We already know 512-bit keys are weak. As I recall, I was told that 512 bit keys could be cracked in 20,000 MIPS-years. If the ballpark formula holds that adding 10 bits doubles the security, that merely means that 640 bits is 2**(128/10) or 8000 times strong. While obviously better than 512, it is not ENOUGH better to make me confident that this is a long-term secure length. 768 or 1024 bits should be considered the minimum. A deliberate design of 640 bits makes it look like it's intended to be crackable in 5-10 years, much as DES was suspected of a similar design decision in limiting its keylength to 56 bits.
But the "scalable design" presumably means the hardware can deal with a variety of modulus lengths. As you say, they would be short-sighted to make a fixed choice.
I hope you're right about this. But there's something to keep in mind. Let's suppose that in 10 years 640 bits are "easily" cracked. Anybody with the storage (money) to keep all these messages will have the power to sort through everything you said in 1996, '10 years later.' Who has the money to even store these messages, as well as the inclination? You guessed it, the government. I realize that it is arguable that this would be possible, no matter what keylength is chosen. True, someday 1024-bit keys might be easily cracked, but that will probably be 30-50 years from now, not 10. In other words, "stretching" the technology today on the "encrypt" side makes storing these messages far less attractive, meaning that the government will have less motivation to do it, and will not be able to make the effort pay off for a few more decades. I would like to see laws: 1. Prohibiting the government from storing encrypted messages it can't currently decrypt for over, say, a couple of years. 1a. Prohibiting any USE by the government of such messages obtained and stored by other entities, including individuals and private corporations, without the express permission of the sender AND receiver of the message. 2. Prohibiting the government from even ATTEMPTING to decrypt a domestically-obtained encrypted message, without a warrant which is simultaneously given to the source of the message: In other words, alerting him to the government's interest. This is just a start. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMREY2/qHVDBboB2dAQGZdgP+MjIK02fU6iysN77g1aWb1gx9bzDrZoh4 ePWmd9RRD3gnzYOSIng5dRCxEpT+0Cqe4cFQEqbD6GhHlfNOKwkTU/LAfhvOdKpo QJ9t93Af3aCaLtFmtXyj1Ce20GNqkp7qqP5DLKjYSEH/bR64aTA0pfZ70aes/8C1 w1AYLdvglXA= =p+3A -----END PGP SIGNATURE-----
One other little point about 640 bit rsa; there's no way I'd ever buy an RSA accellerator tuned for 640, for one very simple reason. Most of the important keys I want an acellerator for are 1024 bits or longer - C/As, SETT banks, etc. I want to be able to clear 20 PKOPs per second without impacting the main CPUS; if I need to buy a busful of these babies they'd better be damn cheap and be available with duplicate keys... Simon
participants (2)
-
jim bell -
Simon Spero