2048 bits, damn the electrons! [rt at openssl.org: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]

Samuel Neves sneves at dei.uc.pt
Thu Sep 30 20:52:49 EDT 2010


On 30-09-2010 16:41, Thor Lancelot Simon wrote:
> On Wed, Sep 29, 2010 at 09:22:38PM -0700, Chris Palmer wrote:
>> Thor Lancelot Simon writes:
>> 
>>> a significant net loss of security, since the huge increase in
>>> computation required will delay or prevent the deployment of
>>> "SSL everywhere".
>> 
>> That would only happen if we (as security experts) allowed web
>> developers to believe that the speed of RSA is the limiting factor
>> for web application performance.
> 
> At 1024 bits, it is not. But you are looking at a factor of *9* 
> increase in computational cost when you go immediately to 2048 bits. 
> At that point, the bottleneck for many applications shifts, 
> particularly those which are served by offload engines specifically 
> to move the bottleneck so it's not RSA in the first place.

...

> At present, these devices use the highest performance modular-math 
> ASICs available and can just about keep up with current web 
> applications' transaction rates. Make the modular math an order of 
> magnitude slower and suddenly you will find you can't put these 
> devices in front of some applications at all.

One solution would be to use 2048-bit 4-prime RSA. It would maintain the
security of RSA-2048, enable the reusing of the modular arithmetic units
of 1024 bit VLSI chips and keep ECM factoring at bay. The added cost
would only be a factor of ~2, instead of ~8.

Best regards,
Samuel Neves

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list