Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

[Arnold G. Reinhold]

At 11:49 AM -0800 2/25/02, bear wrote:
>...
>The "secure forever" level of difficulty that we used to believe
>we got from 2kbit keys in RSA is apparently a property of 6kbit
>keys and higher, barring further highly-unexpected discoveries.

Highly-unexpected?   All of public key cryptography is build on 
unproven mathematical assumptions. Why should this be the last 
breakthrough? If you plot the curve of what key length was considered 
long enough as a function of time, it doesn't look very good.

Perhaps it is time to stop claiming "secure forever" altogether until 
solid mathematical proofs of security are available.

>...
>I predict that Elliptic-Curve systems are about to become more
>popular.
>

I'm not completely comfortable with Elliptic-Curve systems. The 
mathematics is relatively young and has seen a lot of progress. Yet 
typical EC key length recommendations are based on the assumption 
that there is no way to calculate discrete logs in EC groups that is 
any faster than the general algorithm that applies to all finite 
groups. That sounds pretty aggressive to me.

If we are going to have to upgrade OpenPGP standards in light of the 
Bernstein paper, I would suggest a standard that combines RSA, EC 
and, if possible, a third PK system whose algorithm is based on an 
apparently independent problem.  The advantage of double or triple 
encryption is that a breakthrough in one problem area does not 
immediately compromise all your previously encrypted data. And you 
can upgrade the component key in question and distribute it signed 
with the old key, without have to start from scratch in establishing 
trust. Most personal computers are capable of this level of security. 
Why settle for less?


Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com