[Cryptography] RSA equivalent key length/strength
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sat Sep 14 13:48:40 EDT 2013
On 14/09/13 17:14, Perry E. Metzger wrote:
> On Sat, 14 Sep 2013 16:53:38 +0100 Peter Fairbrother
> <zenadsl6186 at zen.co.uk> wrote:
>> NIST also give the "traditional" recommendations, 80 -> 1024 and 112
>> -> 2048, plus 128 -> 3072, 192 -> 7680, 256 -> 15360.
> [...]
>> But, I wonder, where do these longer equivalent figures come from?
>>
>> I don't know, I'm just asking - and I chose Wikipedia because that's
>> the general "wisdom".
> [...]
>> [ Personally, I recommend 1,536 bit RSA keys and DH primes for
>> security to 2030, 2,048 if 1,536 is unavailable, 4,096 bits if
>> paranoid/high value; and not using RSA at all for longer term
>> security. I don't know whether someone will build that sort of
>> quantum computer one day, but they might. ]
>
> On what basis do you select your numbers? Have you done
> calculations on the time it takes to factor numbers using modern
> algorithms to produce them?
Yes, some - but I don't believe that's enough. Historically, it would
not have been (and wasn't) - it doesn't take account of algorithm
development.
I actually based the 1,536-bit figure on the old RSA factoring
challenges, and how long it took to break them.
We are publicly at 768 bits now, and that's very expensive
http://eprint.iacr.org/2010/006.pdf - and, over the last twenty years
the rate of public advance has been about 256 bits per decade.
So at that rate 1,536 bits would become possible but very expensive in
2043, and would still be impossible in 2030.
If 1,024 is possible but very expensive for NSA now, and 256 bits per
decade is right, then 1,536 may just be on the verge of edging into
possibility in 2030 - but I think progress is going to slow (unless they
develop quantum computers).
We have already found many of the "easy-to-find" advances in theory.
-- Peter Fairbrother
More information about the cryptography
mailing list