[TIME_WARP] 1280-Bit RSA
Jonathan Thornburg
jthorn at astro.indiana.edu
Fri Jul 9 21:16:30 EDT 2010
The following usenet posting from 1993 provides an interesting bit
(no pun itended) of history on RSA key sizes. The key passage is the
last paragraph, asserting that 1024-bit keys should be ok (safe from
key-factoring attacks) for "a few decades". We're currently just
under 1.75 decades on from that message. I think the take-home lesson
is that forecasting progress in factoring is hard, so it's useful to
add a safety margin...
From: pcl at ox.ac.uk (Paul C Leyland)
Newsgroups: sci.crypt
Subject: Re: Questions about RSA.
Message-ID: <PCL.93Feb16102611 at rhodium.ox.ac.uk>
Date: 16 Feb 93 10:26:11 GMT
References: <1993Feb10.183246.29386 at ee.ubc.ca>
Distribution: sci.crypt, alt.security
Organization: Oxford University Computing Services, 13 Banbury Rd Oxford OX2 6NN
Lines: 59
In-reply-to: jrusmise at ee.ubc.ca's message of 10 Feb 93 18:32:46 GMT
In article <1993Feb10.183246.29386 at ee.ubc.ca> jrusmise at ee.ubc.ca (RUSMISEL JASON DIRK) writes:
...
1) The article suggests that the length of 'n', (where n is the product
of two large primes p and q, and n is the modulus used with the
encryption and decrytion keys to decode and encode) be 200 digits. [page
125, top right] 200 digits base 10 is about 664 binary digits. Now, to
the question. The program PGP provides various levels of key length,
384 bits, 512 bits and 1024 bits. How were these numbers decided on? I
The PGP values are round numbers (3/8, 1/2 and 1) in kilobits.
They are (handwaving furiously here) "about the right size" for
testing, routine use and archival security. The RSA values are
about the right size for routine use.
realize that the state of computer technology at the time the RSA
article was written was very different than it is now, but have there
been significant advances in crypto breaking since 1978 that would
make factoring such large numbers much easier? (Perhaps the Connection
Machine.....) Really I'm interested in a discussion of the design
decisions/tradeoffs here.
Let me try to justify the armwaving a little. First, we must
realise that the larger the keys, the greater the run-time of the
encryption and decryption process. Purists may nit pick, but
roughly speaking doubling the number of digits in the key
increases the run time eightfold. [Purists: I'm assuming a
n-squared multiplication routine and the simple binary method of
exponentiation]. So small moduli are good.
So far as is known, the only way to find the RSA secret key
(other than espionage, bribery, extortion, etc) is to factorize
the modulus. Here large moduli are good. Roughly speaking
*adding* a few bits to the length of the modulus raises the
factorizing cost eightfold. Compare this to the encryption,
where *doubling* costs us that much. The meaning of "a few bits"
can also be argued over, but it is around 20 bits, depending on
methods and the size of the number.
Current state of the art described in the open literature
factorizes 120-digit numbers in a time of order one year, using
machines of order 1000mips performance. Again, purists can post
better numbers if they wish. 384 bits is 116 digits so the PGP
test keys can, with sufficient effort, be cracked with today's
technology. 512 bits is well beyond current technology (155
digits) but *might* be accessible in a few years with better
algorithms and faster machines and more of them working in
parallel and ... (I'm handwaving again). 1024-bits, so far as is
known should be ok for a few decades. I'd be happy to be proved
wrong, as there's lots of other numbers I'd like to be able to
factorize.
Paul
--
Paul Leyland <pcl at oxford.ac.uk> | Hanging on in quiet desperation is
Oxford University Computing Service | the English way.
13 Banbury Road, Oxford, OX2 6NN, UK | The time is come, the song is over.
Tel: +44-865-273200 Fax: +44-865-273275 | Thought I'd something more to say.
Finger pcl at black.ox.ac.uk for PGP key |
--
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
Dept of Astronomy, Indiana University, Bloomington, Indiana, USA
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list