307 digit number factored

Nate Lawson nate at root.org
Wed Oct 10 14:48:24 EDT 2007

travis+ml-cryptography at subspacefield.org wrote:
> On Mon, May 21, 2007 at 04:32:10PM -0400, Victor Duchovni wrote:
>> On Mon, May 21, 2007 at 02:44:28PM -0400, Perry E. Metzger wrote:
>>> My take: clearly, 1024 bits is no longer sufficient for RSA use for
>>> high value applications, though this has been on the horizon for some
>>> time. Presumably, it would be a good idea to use longer keys for all
>>> applications, including "low value" ones, provided that the slowdown
>>> isn't prohibitive. As always, I think the right rule is "encrypt until
>>> it hurts, then back off until it stops hurting"...
>> When do the Certicom patents expire? I really don't see ever longer RSA
>> keys as the answer, and the patents are I think holding back adoption...
> They already expired.

Not true (counterexample: ECMQV).

> Some EC primitives in the latest OpenSSL.

Because various standard forms of EC were never covered by patents.
This has been rehashed many times, for example:

> But why assume short ECC keys are stronger than long RSA?
> AFAIK, the only advantage of ECC is that the keys are shorter.
> The disadvantage is that it isn't as well studied.

Again, this is well covered.  The reason is the fundamental difference
in the performance of the best-known attacks (GNFS vs. Pollard's rho).

Also, EC public operations are typically faster than private, although
not on the order of the difference between RSA public and private ops.

> Although every time I read up on ECC, I understand it, and then within
> a few days I don't remember anything about it.  I think they teflon
> coated those ideas somehow, because they don't stick.
>> With EECDH one can use ECDH handshakes signed with RSA keys, but that
>> does not really address any looming demise of 1024 bit RSA.
> Why can't they do something like El-Gamal?
> I'm not comfortable with RSA somehow.  It seems fundamentally more
> complicated to me than DLP, and it's hard to get right - look at how
> many things there are in the PKCS for it.

The RSA or EC primitives are *not* usable cryptographic schemes by
themselves, thus it isn't fair to compare them this way (RSA+PKCS#1 !=
EC point multiplication).

ECDSA, for example, is intentionally constrained to be signing-only and
the hash signed is a fixed size.  It's more fair to compare RSA+PKCS#1
with EC+DSA/DH.  In that sense, I think the complexity of implementation
is similar.

I'm not saying that one of these schemes is better than the other.  They
each have their own tradeoffs.  I just object to your methodology of
claiming RSA is fundamentally more problematic than EC.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list