objectivity and factoring analysis

Anonymous nobody at remailer.privacy.at
Wed Apr 24 05:36:02 EDT 2002 

Paul Crowley writes:
> Silverman is AFAICT the most knowledgeable person to have commented on
> all this.  He has no axe to grind, unless you count the inexcusably
> unfair treatment he received from RSA. 
>
> All of his sci.crypt comments are available with this search:
>
> http://groups.google.com/groups?q=bernstein+group:sci.crypt.*+author:amms716%40a
> ol.com&filter=0
>
> His off-the-cuff estimate of a good new recommended key size was 2048 bits.

Not so.  His actual comment, from one of the three messages Google
finds at the above URL, was:

> If it is practical, it would mean that the minimum keysize for RSA keys
> (and DSA keys) would need to be at least 2K bits.

The question is, is it practical?  At the time of that message, February
28, Silverman wrote:

> I have only taken a quick look at the paper, but it does appear (on
> the surface) to be doable.  It does, of course, require building custom
> hardware.  I intend to read this paper carefully over the next week.

Yet since then he has had no more substantive comment, just a couple of
snide digs at RSA Labs.

Surely Silverman is indeed as qualified as anyone to judge whether
Bernstein's ideas have any practical value.  Yet almost two months later
he is apparently still unable to make a public judgement.

The fact is, the jury is still completely out on whether Bernstein's
ideas will reduce the cost of factoring 1024 bit keys.  Bernstein doesn't
say they will.  Silverman doesn't say they will.  In fact there almost
seems to be an inverse correlation between how much people know about
factoring and how much confidence they are willing to express that
Bernstein's machine will work for keys of this size.

The main people who have publically declared that Bernstein's machine is
a practical threat are Ray Dillinger, Nicko van Someren, Lucky Green,
and Joseph Ashwood, Since then Nicko van Someren has characterized his
comment as an estimate he came up with on the spot that he later found
was off by a factor of 100 billion.  Lucky Green relied on Nicko van
Someren's estimate.

So far no one who has claimed the machine to be practical has offered
the barest, sketchiest ghost of a design!  The most elementary, simple,
basic parameter which drives the design of such a machine is the size of
the factor base (or bases).  If they would just tell us how big the factor
base was they assumed, how many processing elements were are involved in
the matrix solution phase, and what clock speed they are assuming, that
would basically define that half of the design.  If they then indicated
what algorithm they were assuming for the "sieving" phase, how many
processors and what clock speed, that would define the other half.

Specifying these few parameters would allow a wide range of reviewers
to at least sanity-check the claims.  It should be a minimal requirement
for anyone who wants to claim that the Bernstein machine is a practical
threat to at least tell us the factor base size they are assuming.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list