Possibly questionable security decisions in DNS root management

Jerry Leichter leichter at lrw.com
Mon Oct 19 22:06:13 EDT 2009

On Oct 17, 2009, at 5:23 AM, John Gilmore wrote:
> Even using keys that have a round number of bits is foolish, in my
> opinion.  If you were going to use about 2**11th bits, why not 2240
> bits, or 2320 bits, instead of 2048?  Your software already handles
> 2240 bits if it can handle 2048, and it's only a tiny bit slower and
> larger -- but a 2048-bit RSA cracker won't crack your 2240-bit key.
> If this crypto community was serious about resistance to RSA key
> factoring, the most popular key generation software would be picking
> key sizes *at random* within a wide range beyond the number of bits
> demanded for application security.  That way, there'd be no "sweet
> spots" at 1024 or 2048.  As it is today, if NSA (or any major country,
> organized crime group, or civil rights nonprofit) built an RSA key
> cracker, more than 50% of the RSA keys in use would fall prey to a
> cracker that ONLY handled 1024-bit keys.  It's probably more like
> 80-90%, actually.  Failing to use 1056, 1120, 1168-bit, etc, keys is
> just plain stupid on our (the defenders') part; it's easy to automate
> the fix.
What factoring algorithms would be optimized for a fixed number of  
bits?  I suppose one could have hardware that had 1024-bit registers,  
which would limit you to no more than 1024 bits; but I can't think of  
a factoring algorithm that works for 1024 bits, the top one of which  
is 1, but not at least equally well when that top bit happens to be 0.

                                                         -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list