objectivity and factoring analysis

Adam Back adam at cypherspace.org
Fri Apr 19 09:51:59 EDT 2002

I'd just like to make a few comments about the apparently unnoticed or
unstated conflicts of interest and bias in the analysis surrounding
Bernstein's proposal.

The following is not intended to trample on anyone's ego -- but I
think deserves saying.

- I'm not sure any of the respondents so far except Bernstein have
truly understood the math -- there are probably few who do, factoring
being such a narrow research area.

- Dan Bernstein stated that it is not easy to estimate the constants
involved to know whether the asymptotic result affects currently used
key sizes; he stated that the conclusion should be considered unknown
until experimental evidence is gained.

- Nicko van Someren -- the person credited with originally making the
exaggerated, or at least highly worst case interpretation at the FC02
panel -- has a conflict interest -- hardware accelerator gear that
ncipher sell will be more markedly needed if people switch to 2048 or
larger keys.  Nicko has made no public comments in the resulting

- Ian Goldberg also on the panel quickly distanced himself from van
Someren's claim, as Lucky's earlier mail could have been read to imply
Goldberg had also agreed with van Someren's claim.

- RSA's FAQ down playing the result seems relatively balanced though
they have an incentive to downplay the potential of Bernstein's
approach.  They have a history of producing biased FAQs: for example
previously the ECC FAQ where they compared ECC unfavorably to RSA.
The FAQ was removed after they licensed tech from certicom and
included ECC in BSAFE.

- Bob Silverman, former RSA factoring expert, observes on sci.crypt,

> At this point, there is noone left at RSA Labs who has the expertise
> or knowledge to judge Bernstein's work.

- Bruce Schneier's somewhat downplaying comments, as far as I know
Bruce isn't an expert on factoring and he doesn't credit anyone who is
in his report.  Bruce's comments lately seem to have lost much of
their earlier objectivity -- many of his security newsletters lately
seem to contain healthy doses of adverts for counterpane's managed
security offering, and calls for lobbying and laws requiring companies
to use such products for insurance eligibility.

- Lucky on the other hand suggested a practical security engineering
approach to start to plan for possibility of migrating to larger key
sizes.  Already one SSH implementation added a configuration option to
select a minimum key size accepted by servers as a result.  This seems
like a positive outcome.  Generally the suggestion to move to 2048 bit
keys seems like a good idea to me.  Somewhat like MD5 -> SHA1, MD5
isn't broken for most applications but it is potentially tainted by a
partial result.  Similarly I would concur with Lucky that it's prudent
security engineering to use 2048 bit keys in new systems.
Historically for example PGP has had similar migrations from minimum
listed key sizes for casual use from 512 -> 768 -> 1024 over the
years.  The progression to 2048 is probably not a bad idea given
current entry level computer speeds and possibility of Bernstein's
approach yeilding an improvement in factoring.

The mocking tone of recent posts about Lucky's call seems quite
misplaced given the checkered bias and questionable authority of the
above conflicting claims we've seen quoted.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list