2048-bit RSA keys

Steven Bellovin smb at cs.columbia.edu
Tue Aug 17 18:24:20 EDT 2010 

On Aug 17, 2010, at 5:19 10PM, Samuel Neves wrote:

> On 17-08-2010 21:42, Perry E. Metzger wrote:
>> On Tue, 17 Aug 2010 22:32:52 +0200 Simon Josefsson
>> <simon at josefsson.org> wrote:
>>> Bill Stewart <bill.stewart at pobox.com> writes:
>>> 
>>>> Basically, 2048's safe with current hardware
>>>> until we get some radical breakthrough
>>>> like P==NP or useful quantum computers,
>>>> and if we develop hardware radical enough to
>>>> use a significant fraction of the solar output,
>>>> we'll probably find it much easier to eavesdrop
>>>> on the computers we're trying to attack than to
>>>> crack the crypto.
>>> Another breakthrough in integer factoring could be sufficient for an
>>> attack on RSA-2048.  Given the number of increasingly efficient
>>> integer factorization algorithms that have been discovered
>>> throughout history, another breakthrough here seems more natural
>>> than unlikely to me.
>> A breakthrough could also render 10kbit keys broken, or might never
>> happen at all. A breakthrough could make short ECC keys vulnerable.
>> A breakthrough could make AES vulnerable. One can't operate on this
>> basis -- it makes it impossible to use anything other than one-time
>> pads.
>> 
> 
> A breakthrough is a rather strong term. But it's not unreasonable to
> believe that the number field sieve's complexity could be lowered on the
> near future by an *incremental* improvement --- it would only require
> lowering the complexity from L[1/3, ~1.92] to L[1/3, ~1.2] to make 2048
> bit factorization roughly as easy as 768 bits today.

It's worth quote from the paper at CRYPTO '10 on factorization of a 768-bit number:

	The new NFS record required the following effort. We spent half a year on
	80 processors on polynomial selection. This was about 3% of the main task,
	the sieving, which took almost two years on many hundreds of machines. On
	a single core 2.2 GHz AMD Opteron processor with 2 GB RAM, sieving would
	have taken about fifteen hundred years. We did about twice the sieving
	strictly necessary, to make the most cumbersome step, the matrix step, more
	manageable. Preparing the sieving data for the matrix step took a couple of
	weeks on a few processors. The final step after the matrix step took less
	than half a day of computing.

They conclude with

	at this point factoring a 1024-bit RSA modulus looks more than five times
	easier than a 768-bit RSA modulus looked back in 1999, when we achieved
	the first public factorization of a 512-bit RSA modulus. Nevertheless, a
	1024-bit RSA modulus is still about a thousand times harder to factor than
	a 768-bit one. It may be possible to factor a 1024-bit RSA modulus within
	the next decade by means of an academic effort on the same scale as the
	effort presented here. Recent standards recommend phasing out such moduli
	by the end of the year 2010 [28]. See also [21]. Another conclusion from
	our work is that we can confidently say that if we restrict ourselves to
	an open community, academic effort such as ours and unless something
	dramatic happens in factoring, we will not be able to factor a 1024-bit
	RSA modulus within the next five years [27]. After that, all bets are off.

They also suggest that a 3-4 year phase-out of 1024-bit moduli is the proper course.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list