Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)
Arnold G. Reinhold
reinhold at world.std.com
Tue Feb 26 09:12:01 EST 2002
At 11:49 AM -0800 2/25/02, bear wrote:
>...
>The "secure forever" level of difficulty that we used to believe
>we got from 2kbit keys in RSA is apparently a property of 6kbit
>keys and higher, barring further highly-unexpected discoveries.
Highly-unexpected? All of public key cryptography is build on
unproven mathematical assumptions. Why should this be the last
breakthrough? If you plot the curve of what key length was considered
long enough as a function of time, it doesn't look very good.
Perhaps it is time to stop claiming "secure forever" altogether until
solid mathematical proofs of security are available.
>...
>I predict that Elliptic-Curve systems are about to become more
>popular.
>
I'm not completely comfortable with Elliptic-Curve systems. The
mathematics is relatively young and has seen a lot of progress. Yet
typical EC key length recommendations are based on the assumption
that there is no way to calculate discrete logs in EC groups that is
any faster than the general algorithm that applies to all finite
groups. That sounds pretty aggressive to me.
If we are going to have to upgrade OpenPGP standards in light of the
Bernstein paper, I would suggest a standard that combines RSA, EC
and, if possible, a third PK system whose algorithm is based on an
apparently independent problem. The advantage of double or triple
encryption is that a breakthrough in one problem area does not
immediately compromise all your previously encrypted data. And you
can upgrade the component key in question and distribute it signed
with the old key, without have to start from scratch in establishing
trust. Most personal computers are capable of this level of security.
Why settle for less?
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list