Marco d'Itri writes:
> If anybody disagrees then please describe a credible threat model in
> - an entity would want to have access to the key of a DD, and
> - would find brute forcing a 1024 bit key more practical than
> stealing it or coercing a developer to disclose it.
Brute-forcing the key just requires compute cycles. There is essentially
no chance of discovery and no risky activity at all until you start
actually using the key. You can basically choose exactly how or when you
want to use it, or use it only passively to decrypt data (although we
don't really use our keys much for encryption, mostly).
Stealing the key or coercing a developer is *far* riskier and runs a far
higher chance of discovery, because both necessarily involve doing things
out in the world that are visible and noticable and that would be of
potential interest to the news media, etc.
The reason why people tend to focus on passive risks like brute-force
factoring is that they're only difficult in terms of necessary compute
power (or breakthrough mathematics). They pose essentially zero
operational difficulty and essentially zero risk; all the data that you
need to make the attempt is completely public, and attempting it is not at
all suspicious. There's no risk of getting caught. That makes the attack
far more feasible.
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>