[Cryptography] RSA equivalent key length/strength

Peter Fairbrother zenadsl6186 at zen.co.uk
Sat Sep 14 11:53:38 EDT 2013

Recommendations are given herein as: symmetric_key_length -> 
recommended_equivalent_RSA_key_length, in bits.

Looking at Wikipedia,  I see:

"As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in 
strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit 
symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA 
claims that 1024-bit keys are likely to become crackable some time 
between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. 
An RSA key length of 3072 bits should be used if security is required 
beyond 2030.[6]"


That page doesn't give any actual recommendations or long-term dates 
from RSA now. It gives the "traditional recommendations" 80 -> 1024 and 
112 -> 2048, and a 2000 Lenstra/Verheul minimum commercial 
recommendation for 2010 of 78 -> 1369.

"NIST key management guidelines further suggest that 15360-bit RSA keys 
are equivalent in strength to 256-bit symmetric keys.[7]"


NIST also give the "traditional" recommendations, 80 -> 1024 and 112 -> 
2048, plus 128 -> 3072, 192 -> 7680, 256 -> 15360.

I get that 1024 bits is about on the edge, about equivalent to 80 bits 
or a little less, and may be crackable either now or sometime soon.

But, I wonder, where do these longer equivalent figures come from?

I don't know, I'm just asking - and I chose Wikipedia because that's the 
general "wisdom".

Is this an area where NSA have "shaped the worldwide cryptography 
marketplace to make it more tractable to advanced cryptanalytic 
capabilities being developed by NSA/CSS", by perhaps greatly 
exaggerating the equivalent lengths?

And by emphasising the difficulty of using longer keys?

As I said, I do not know. I merely raise the possibility.

[ Personally, I recommend 1,536 bit RSA keys and DH primes for security 
to 2030, 2,048 if 1,536 is unavailable, 4,096 bits if paranoid/high 
value; and not using RSA at all for longer term security. I don't know 
whether someone will build that sort of quantum computer one day, but 
they might. ]

-- Peter Fairbrother

More information about the cryptography mailing list