I want to make something absolutely clear. I think it is always a good
idea to use the best crypto your application can comfortably
handle. If your machine is fast enough to use 2048 bit RSA keys, well,
no harm is done by it, and if Dan Bernstein is correct, 1024 bit keys
will be obsolete sooner than we thought so it may be worthwhile. There
is always a tradeoff, and 2048 bit keys are unacceptably slow on old
hardware or for many embedded apps, but its not an awful idea if you
don't care about the speed penalty, like if you have only very modern
hardware.

All that said, anyone claiming that it is now affordable to routinely
crack 1024 bit RSA keys is unfamiliar with the facts.  Maybe (and its
a big maybe) the NSA can afford to dedicate multi-hundred million or
billion dollar boxes for a months or longer do it for a high value key
(assuming that it is possible at all), or maybe the NSA knows things
about factoring we don't, but it is not bloody likely that everyday
crackers or even Fortune 100 companies will be doing this stuff any
time soon.

If you think that you have something new and exciting to tell me that
I've never heard of before, check if it has been published in Crypto
or Eurocrypt or something first. If you don't know enough to read
those conference proceedings, you don't know enough to have an
intelligent opinion on the cost of building a machine to run djb's NFS
factoring ideas.


--
Perry E. Metzger		perry@piermont.com
--
"Ask not what your country can force other people to do for you..."