[Cryptography] constructing and exploiting trapdoored DH/DSA primes for 1024-bit keys is feasible
Michael Kjörling
michael at kjorling.se
Mon Oct 17 16:37:15 EDT 2016
On 14 Oct 2016 21:24 -0400, from joshua.marpet at guardedrisk.com (Joshua Marpet):
> So write a rebuttal. Not trying to be rude but...
I'm not Hanno, nor do I claim in the least to be answering in Hanno's
place, but to me, there's a pretty big gap between
"demonstrat[ing] that constructing and exploiting trapdoored primes
for Diffie-Hellman and DSA is feasible for 1024-bit keys with modern
academic computing resources."
and
"the NSA broke trillions of encrypted connections"
The former shows that something is possible, which implies that it
_might_ have happened, either in select situations or wholesale.
The latter claims that the same something not only is possible, but
_did happen_ and _was exploited_, and additionally in this specific
case goes even further by claiming to explain _how_ it happened. The
use of the word "trillions" also implies that it wasn't a rare
occurrence.
There's a _big_ difference between those two.
Yes, it seems pretty clear that we need to move beyond 1024 bits for a
whole host of reasons, just like how 512-768 bits became insufficient
many years ago. No, that is not helped by sensationalist propaganda,
but rather by increasing default sizes to something like 1536 or 2048
bits or moving to different algorithms with different security versus
performance properties (elliptic curves, anyone?). A case for that can
_clearly_ be made without mentioning nation-state adversaries. IMO,
particularly _people on this list should know better._
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
More information about the cryptography
mailing list