Newsgroups: sci.crypt
Path: msuinfo!caen!sdd.hp.com!think.com!linus!linus!gauss!bs
From: bs@gauss.mitre.org (Robert D. Silverman)
Subject: Re: Pretty Good (tm) Privacy
Message-ID: <1992Jan21.220230.16019@linus.mitre.org>
Sender: news@linus.mitre.org (News Service)
Nntp-Posting-Host: gauss.mitre.org
Organization: The MITRE Corporation, Bedford, MA 01730
References: <11712.Jan2106.30.1992@virtualnews.nyu.edu> <1992Jan21.132644.27590@linus.mitre.org> <14307.Jan2119.32.2392@virtualnews.nyu.edu>
Date: Tue, 21 Jan 1992 22:02:30 GMT
Lines: 32

In article <14307.Jan2119.32.2392@virtualnews.nyu.edu> brnstnd@nyu.edu (Dan Bernstein) writes:
>Bob, like Kevin, is completely misinterpreting my statements to mean
>something which they do not say.
>> State of the art in factoring
>> and in computing discrete logs is such that for numbers in the 300 to 600
>> bit range, one can solve a discrete log problem with n-30 bits in about the
>> same time one can factor an n-bit number.  This is by direct measurement.
>
>Now *that* is wild exaggeration. Neither Bob nor anyone else has ever
>factored a general number between 450 and 600 bits. In fact, Bob's
>personal record is around 385 bits, right, Bob? Bob's implication that
>those figures are based on ``direct measurement'' is simply wrong.
>Extrapolation beyond your experience is a very, very bad idea in
>cryptography.
>

Bzzzt!!!

Wrong.

We have VERY good estimates for the o(1) terms in the asymptotics. The curves
are quite smooth. While we have not yet factored any general 512 bit numbers,
I can tell you within 10% exactly how long it will take [in MIPS-YEARS].

We have EXTENSIVE measurements ranging from 200 bits up to about 350 bits
and know very well how these algorithms behave.

--
Bob Silverman
These are my opinions and not MITRE's.
Mitre Corporation, Bedford, MA 01730
"You can lead a horse's ass to knowledge, but you can't make him think"
