
The Cryptopocalypse - Garbage
http://www.schneier.com/blog/archives/2013/08/the_cryptopocal.html
======
tptacek
I think the authors of the presentation† would agree with Schneier about the
math, and I know Tom Ritter's working on a bit of a follow-up. But I don't
think they'd agree on Schneier's message here, which is that people who use
RSA have nothing to worry about. The Joux small-char DLP stuff isn't going to
directly impact RSA, but RSA in its most commonly used key size (1024 bits) is
not secure, and the next common size up (2048 bits) is ~5x slower. It's past
time people started moving away from RSA.

† _My name is first listed among them but I did literally no work on it; I 'm
as confused as you are, but flattered._

~~~
leokun
What do you use for your SSH key. RSA? Just curious. As far as I know RSA and
DSA are the only options for SSH, or is that wrong?

~~~
MichaelSalib
Recent versions of SSH (6.1p1 on Ubuntu 13.04) support ECDSA,
[http://en.wikipedia.org/wiki/Elliptic_Curve_DSA](http://en.wikipedia.org/wiki/Elliptic_Curve_DSA)

Unfortunately, gnome-keyring-daemon can't deal with those keys...grrr.

~~~
zx2c4
As of GnuPG 2.0.21, gpg-agent can deal with ECDSA keys, which is quite nice.

------
tlb
Remember folks: people may be capturing and storing your SSL traffic now. If
there is a huge advance in factoring 5 or 10 years from now, they'll be able
to decrypt all your traffic from today.

------
tptacek
Matthew Green breaks this down in considerably more detail here; highly
recommended:

[https://news.ycombinator.com/item?id=6238305](https://news.ycombinator.com/item?id=6238305)

------
trebor
If I read this correctly, Schneier is saying that "increasing key size will be
enough to stay ahead of the advances in factorization for the foreseeable
future." I hope this is true. But I think I'll stick to my guns, saying that
RSA will be broken (with)in 5 years.

------
aortega
Even if RSA is broken tomorrow, we already have many other algorithms for
asymmetric encryption that do not depend on factoring and can't be broken even
with a quantum computer, like the McEliece cryptosystem. We only would need to
change the standard quickly like when MD5 was broken.

~~~
tptacek
However true that is, it doesn't really respond to anyone's point (Schneier's
or Ritter/Samuel's); nobody involved in this was saying something like "crypto
is dead".

~~~
aortega
Indeed, but then he could go with a less scary title than "The
Cryptopocalypse". "RSApocalypse" maybe.

