In order to crack the key used for any particular encryption session. The fact that this uses disposable keys (a new key is generated for every session and then destroyed at the end of the session) makes it all the more difficult. I haven't studied the ZRTP protocol or Zimmerman's implementation in detail, but I assume he's chosen a default key length large enough to make cracking non-trivial and yet not overly tax the resoruces of the computing hardware hosting the ZRTP client.
What you've got to remember is that nothing is 100% secure. What one tries to do when striving for security is to put up enough barriers that it is no longer worth the effort to get to whatever is being secured. The flip side to this is that you try to be reasonably secure, without putting up so many barriers that it becomes burdensome to get to or do whatever it is you're interested in securing in the first place. So while I wouldn't count on the NSA not being able to listen in on your conversation, it's reasonable to assume that ZPhone and ZRTP would make it uneconomical to crack every call. And though the NSA may be years ahead in tech, they are not years ahead in quantum computing which would be required to crack arbitrarily large key lengths.
Also, you have to consider that this does nothing to obscure the kind of external or meta data being collected from the phone companies, and even though you're not using a standard phone or cell for ZPhone, you're still generating meta data. As Zimmerman notes in the FAQ:
Q: Does Zfone protect against "social network analysis" and other forms of analysis based on traffic patterns?
A: No, not at all. Zfone just encrypts the contents of the call. The only way to protect against traffic analysis is to go through multiple intermediaries, which is a technique that has been used to protect email and web browsing (see the TOR project for an example of this). But this adds latency to communications, which may be unnoticeable for email, and at least tolerable for web browsing, but would be unacceptable for phone calls. Further, these countermeasures may be ineffective against a clever and resourceful opponent, because it's hard to hide the timing and length of the messages, especially if there are real-time communication requirements.
http://www.philzimmermann.com/EN/zfone/index-faq.htmlSo in my estimation, as with Zimmerman's previous PGP product, ZPhone is "pretty good privacy" and that's often more than enough, but if you're looking for panaceas, there aren't any.
Now, if you couple ZPhone, with GPG for e-mail (and other things) and
Off The Record for instant messaging then you've got a pretty good arsenal for helping to insure that your private communications stay that way. Just remember though, the fact that you are encrypting your communications itself says something -- that you care enough about what you're sending/saying to have it encrypted. But if you were to encrypt everything, just as you use an envelope for almost everything you send through the mail, that wouldn't be so suspicious. If you could get your whole circle of friends doing it, even better. If everybody did it... Well, then over half the country wouldn't be OK with the NSA datamining their external data.