Daniel Bernstein has been talking about advances in IFP, particularly the batch numeric field sieve, for several years now; the question seems to be when, not if, 1024 bit RSA keys will be arbitrarily attackable.
Meanwhile, over the past couple of months, there's been a flurry of activity on the DLP, particularly Antoine Joux' work on the index calculus approach. The IFP and DLP are intertwined problems, but RSA also depends on the hardness of the DLP, as does (obviously) DH and ElG.
The advances we're currently seeing do not appear to threaten the elliptic curve discrete log problem.
Quantum computing is an issue, but it looks like a far-off issue. The record for quantum factorization right now is 27, right? If you believe QC is a near-term threat, no mainstream number-theoretic (public key / key agreement) cryptosystem helps you; you need to be working with code-based or lattice-based crypto; nothing does this now.
The problems motivating the shift from RSA to ECC are near-term, not far-off like QC.
Shit, I didn't look who I was responding to. Ignore the tone; assume I'm addressing the thread, not you.
No problem. Agree that quantum is not really something to worry about, though it's a good thing that someone out there is thinking of alternatives.
By the way, the Batch NFS has seemingly fallen out of favor. Despite being significantly faster in the usual RAM computational model, it has worse AT complexity than factoring integers one by one (see section 5 of [1]), due to its crazy storage requirements. It doesn't change the fact, of course, that RSA-1024 doesn't have much shelf life left.
Meanwhile, over the past couple of months, there's been a flurry of activity on the DLP, particularly Antoine Joux' work on the index calculus approach. The IFP and DLP are intertwined problems, but RSA also depends on the hardness of the DLP, as does (obviously) DH and ElG.
The advances we're currently seeing do not appear to threaten the elliptic curve discrete log problem.
Quantum computing is an issue, but it looks like a far-off issue. The record for quantum factorization right now is 27, right? If you believe QC is a near-term threat, no mainstream number-theoretic (public key / key agreement) cryptosystem helps you; you need to be working with code-based or lattice-based crypto; nothing does this now.
The problems motivating the shift from RSA to ECC are near-term, not far-off like QC.
Shit, I didn't look who I was responding to. Ignore the tone; assume I'm addressing the thread, not you.