1280-Bit RSA
Samuel Neves
sneves at dei.uc.pt
Sun Jul 11 12:26:08 EDT 2010
On 11-07-2010 01:11, Brandon Enright wrote:
> On Fri, 9 Jul 2010 21:16:30 -0400 (EDT)
> Jonathan Thornburg <jthorn at astro.indiana.edu> wrote:
>
>> The following usenet posting from 1993 provides an interesting bit
>> (no pun itended) of history on RSA key sizes. The key passage is the
>> last paragraph, asserting that 1024-bit keys should be ok (safe from
>> key-factoring attacks) for "a few decades". We're currently just
>> under 1.75 decades on from that message. I think the take-home lesson
>> is that forecasting progress in factoring is hard, so it's useful to
>> add a safety margin...
> This is quite interesting. The post doesn't say but I suspect at the
> factoring effort was based on using Quadratic Sieve rather than GNFS.
> The difference in speed for QS versus GNFS starts to really diverge with
> larger composites. Here's another table:
>
> RSA GNFS QS
> ===========================
> 256 43.68 43.73
> 384 52.58 55.62
> 512 59.84 65.86
> 664 67.17 76.64
> 768 71.62 83.40
> 1024 81.22 98.48
> 1280 89.46 111.96
> 1536 96.76 124.28
> 2048 109.41 146.44
> 3072 129.86 184.29
> 4096 146.49 216.76
> 8192 195.14 319.63
> 16384 258.83 469.80
> 32768 342.05 688.62
>
> Clearly starting at key sizes of 1024 and greater GNFS starts to really
> improve over QS. If the 1993 estimate for RSA 1024 was assuming QS
> then that was roughly equivalent to RSA 1536 today. Even improving the
> GNFS constant from 1.8 to 1.6 cuts off the equivalent of about 256 bits
> from the modulus.
>
> The only certainty in factoring techniques is that they won't get worse
> than what we have today.
>
> Brandon
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
The exponent can be further lowered from that (somewhere between 1.6 and
1.7) --- RSA-768 took about 2^67 Opteron instructions to complete, and
RSA-512 can be done in about 2^54 similar operations (it is in the realm
of possibility for a single box over a few days/weeks).
Best regards,
Samuel Neves
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list