307 digit number factored

Thor Lancelot Simon tls at rek.tjls.com
Mon May 28 01:03:51 EDT 2007


On Thu, May 24, 2007 at 01:01:03PM -0400, Perry E. Metzger wrote:
> 
> Even for https, it costs no more to type in "2048" than "1024" into
> your cert generation app the next time a cert expires. The only
> potential cost is if you're so close to the performance line that
> slower RSA ops will cause you pain -- otherwise, it is pretty much
> costless. For average people's web servers most of the time,
> connections are sufficiently infrequent and RSA operations are "fast
> enough" that it makes no observable difference.

I don't buy it.  I build HTTP load balancers for a living, and for
basically all of our customers who use our HTTPS accelleration at all,
the cost of 1024-bit RSA is already, by a hefty margin, with hardware
assist, the limiting factor for performance.  Look at the specs on
some of the common accelelrator families sometime: 2048 bit is going to
be quite a bit worse.

Busy web sites that rely on HTTPS are going to pay a fairly heavy price
for using longer keys, and not just in cycles: the few hardware solutions
still on the market that can stash keys in secure storage, of course, can
stash exactly half as many 2048-bit keys as 1024-bit ones.  Users who care
about HTTPS performance aren't as rare, I think, as you think.

What's more frustrating is the slow rate at which accellerator vendors
have moved ECC products towards market.  That's not going to help with
adoption any.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list