[Cryptography] RSA equivalent key length/strength
Perry E. Metzger
perry at piermont.com
Sat Sep 14 12:56:02 EDT 2013
On Sat, 14 Sep 2013 09:31:22 -0700 Paul Hoffman
<paul.hoffman at vpnc.org> wrote:
> Also see RFC 3766 from almost a decade ago; it has stood up fairly
> well.
For those not aware, the document, by Paul and Hilarie Orman,
discusses equivalent key strengths and practical brute force methods,
giving extensive detail on how all calculations were done.
A URL for the lazy:
http://tools.ietf.org/html/rfc3766
It is very well done. I'd like to see an update done but it does
feel like the methodology was well laid out and is difficult to
argue with in general. The detailed numbers are slightly different
from others out there, but not so much as to change the general
recommendations that have been floating around.
Their table, from April 2004, looked like this:
+-------------+-----------+--------------+--------------+
| System | | | |
| requirement | Symmetric | RSA or DH | DSA subgroup |
| for attack | key size | modulus size | size |
| resistance | (bits) | (bits) | (bits) |
| (bits) | | | |
+-------------+-----------+--------------+--------------+
| 70 | 70 | 947 | 129 |
| 80 | 80 | 1228 | 148 |
| 90 | 90 | 1553 | 167 |
| 100 | 100 | 1926 | 186 |
| 150 | 150 | 4575 | 284 |
| 200 | 200 | 8719 | 383 |
| 250 | 250 | 14596 | 482 |
+-------------+-----------+--------------+--------------+
They had some caveats, such as the statement that if TWIRL like
machines appear, we could presume an 11 bit reduction in strength --
see the RFC itself for details.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list