On 2011-06-09 15:25 , Jay Daley wrote:
Taking your engineering argument as a way forward - the largest RSA key to have been broken so far (that is publicly known) is 1023 bits and even that was a very special key. A 1280 bit key is 2^257 [stronger, so we have years]
You appear to be under the impression that advances in cryptographic key breaking only ever proceed at a linear pace, exactly matching Moore's Law improvements in equipment. This is not the case. Better cryptographic attacks are discovered from time to time that make it not just linearly easier to break a given key/cipher, but advance at the equivalent of many times "Moore's Law" gains at the stroke of a pen. This happened to MD5 about 5 years ago, hence my statement that it went at a moment from "a little weak, but okay for now" to "we have to change algorithms" in the release of a single research paper. (See, eg, http://en.wikipedia.org/wiki/MD5#Security for a summary of the events.) For this reason, in cryptographic engineering, one allows not just a linear amount of margin for safety ("most we can break now is 1023-bit, Moores law doubles every 18 months, we need 3 years, so 1025-bits will be enough") but quite a bit more, in order to deal with the risk that 10%, 20%, or more, of the perceived key strength can be rendered irrelevant by a single research paper. Ewen