[Cryptography] Clinton asked for a secure email Blackberry in 2009
Phillip Hallam-Baker
phill at hallambaker.com
Thu Mar 17 17:23:16 EDT 2016
On Thu, Mar 17, 2016 at 2:59 PM, Ray Dillinger <bear at sonic.net> wrote:
>
>
> On 03/17/2016 06:23 AM, Phillip Hallam-Baker wrote:
>
>> The cost of the PRISM, TAO, etc. programs was needing to preserve the
>> vulnerabilities they exploited. And they certainly haven't ended
>> completely. Only the other day I found myself having to argue that no,
>> a 2^128 work factor is not sufficient for every need and yes we do
>> require a 2^256 work factor.
>>
>> The original reason I wanted to go to elliptic curves in the first
>> place was to get the 2^256 work factor I can't get with RSA without
>> silly key sizes (16K). But no, I have to spend time making the case.
>
> I thought maybe I was the only one taking the "quantum crypto"
> noise seriously. Guess not. Although RSA keys suffer even more
> from quantum crypto than they suffer from advances in "standard"
> factoring algorithms.
I am not sure they do actually. I would have to think really hard to
work out if quantum computing against RSA is harder than ECDH. I
rather suspect it is because the factoring attack is exploiting one
weakness and QC is attacking another.
A Quantum computer to break a 16 bit RSA key would likely have to have
a very silly number of QBits.
No, the reason I use 256 bit crypto everywhere is simply because it is
simpler to use 256 bits for everything than provide two speeds and let
people choose. Even on the very weak computing devices I am using for
IoT, there isn't much to choose between 128 and 256 bit work factor
because they send so few messages and only need to rekey once a year
if that.
If I am happy with 128 bit WF then RSA2048 is near enough and already
ubiquitous. No need to change.
More information about the cryptography
mailing list