non 2048-bit keys

ian.farquhar at ian.farquhar at
Sun Aug 15 22:49:25 EDT 2010

Samuel Neves wrote:

> If an attacker creating a special-purpose machine to break your keys is
> a realistic scenario, why are you even considering keys of that size?

What's the threat model?

If the set of possible actors includes first world SIGINT agencies, then yes, it is a reasonable assumption that a special configuration of system has been created to factor keys.  Think IBM or pre-acquisition SGI or pre-acquisition Sun as a supplier of such hardware, scaled up way beyond the configurations you'd get in the marketing literature (tens of thousands of cores, terabytes of physical RAM, low-range nine-figure price tags).

But as such an attack would likely cost millions of dollars per key, because the time to solution would be weeks or even months, then they'll only be using it as a last resort.  As Peter correctly pointed out, there are so many other viable threat vectors which are available, especially human-in-the-loop ones, which would likely be exhausted before that solution was tried.

For non-government level attacks, I agree that such a scenario is unrealistic.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list