1994-05-09 - [anon1df3@nyx10.cs.du.edu: Re: PGP 2.5]

Header Data

From: dat@ebt.com (David Taffs)
To: cypherpunks@toad.com
Message Hash: 04b74b390b6e94cc3af14a79aff93aa7251857de834e7ed025559627ba554b93
Message ID: <9405092313.AA09441@helpmann.ebt.com>
Reply To: N/A
UTC Datetime: 1994-05-09 23:13:56 UTC
Raw Date: Mon, 9 May 94 16:13:56 PDT

Raw message

From: dat@ebt.com (David Taffs)
Date: Mon, 9 May 94 16:13:56 PDT
To: cypherpunks@toad.com
Subject: [anon1df3@nyx10.cs.du.edu: Re: PGP 2.5]
Message-ID: <9405092313.AA09441@helpmann.ebt.com>
MIME-Version: 1.0
Content-Type: text/plain



|> Another RSAREF limitation is that it cannot cope with keys longer than
|> 1024 bits.

Projecting current progress in factoring, how long will 1024-bit keys
be secure against something like NSA?

Is it the case that by standarizing on 1024-bit keys for the
forseeable future, are we merely providing a window of opportunity for
cryptopunks which will work fine for awhile but which will slam shut
forever once the NSA becomes able (as a result of vast computer power,
if nothing else) to routinely factor numbers this large, maybe in
about 2150 or so? Remember people thought RSA-129 would take a long
time.

Cypherpunks write code that will remain secure for a long, long time I
hope. Standardizing on RSAREF might, in the very long run, eventually
have the same crippling effect that standarizing on clipper could have
in the short to intermediate term. If people become complacent about
this limitation, it could become institutionalized. If everybody
uses PGP 2.5 for the next hundred years, what happens then?

If the public PGP depends on RSAREF whose evolution is controlled by
RSA, and if eventually a new version comes out which is incompatible
with the older versions, and for which source code isn't as readily
available, and the world standardizes on it, and it isn't interoperable
with older versions, then we lose control, even if we now distribute
a version of PGP 2.5 with the key restriction removed.

I would be happier if PGP 2.5 did not impose such a limit on key
length. If we standardize on something with limitations, we have
to remove them in the future. If we standarize on something without
limitations, future generations don't have to worry about it.

In addition to distributing crypto to the masses, we need to ensure
that no infrastructure gets imposed which obviates our methods. I
don't know if the 1024-bit key restriction will over time become
an important limitation or not -- do you? A better question -- how
long will it take?

I don't think I'm being paranoid, I'm just curious about the details
about what is known about just how hard factoring is, and how that
corresponds to the exponential growth in technological capability, and
where the crossover point lies for 1024-bit keys. Maybe I should just
read the book instead of posting... (Naah!..)

-- 
dat@ebt.com (David Taffs)






Thread