RSA-640 factored
Bill Stewart
bill.stewart at pobox.com
Wed Nov 9 21:54:08 EST 2005
At 09:33 AM 11/9/2005, Simon Josefsson wrote:
>Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
> > It is not reasonable, because the biggest constraint is memory, not
> > CPU. Inverting the matrix requires increasingly prohitive quantities
> > of RAM. Read the DJB hardware GNFS proposal.
>
>Can we deduct a complexity expression from it, that could be used to
>(at least somewhat reliably) predict the cost of cracking RSA-768 or
>or RSA-1024, based on the timing information given in this report?
>The announcement doesn't say how much memory these machines had,
The most important thing it tells us is that the workload for
cracking RSA-768 has definitely moved from
"No, Never!" to "Well, Hardly Ever", so in case anybody was still
thinking about using 768-bit or shorter keys,
they should now know better. The fact that it only took 80 boxes 5 months
to crack 640-bit means that an attacker with an NSA-sized budget
is definitely a threat to 768-bit keys,
even if they're not necessarily commercially cost-effective to crack.
Separately, Shamir's work on various crypto-magical factorization machines
has also meant that 1024-bit keys aren't safe from organizations
with large science budgets.
Bill Stewart
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list