[Cryptography] RSA equivalent key length/strength

Peter Fairbrother zenadsl6186 at zen.co.uk
Sat Sep 14 13:48:40 EDT 2013

On 14/09/13 17:14, Perry E. Metzger wrote:
> On Sat, 14 Sep 2013 16:53:38 +0100 Peter Fairbrother
> <zenadsl6186 at zen.co.uk> wrote:
>> NIST also give the "traditional" recommendations, 80 -> 1024 and 112
>> -> 2048, plus 128 -> 3072, 192 -> 7680, 256 -> 15360.
> [...]
>> But, I wonder, where do these longer equivalent figures come from?
>> I don't know, I'm just asking - and I chose Wikipedia because that's
>> the general "wisdom".
> [...]
>> [ Personally, I recommend 1,536 bit RSA keys and DH primes for
>> security to 2030, 2,048 if 1,536 is unavailable, 4,096 bits if
>> paranoid/high value; and not using RSA at all for longer term
>> security. I don't know whether someone will build that sort of
>> quantum computer one day, but they might. ]
> On what basis do you select your numbers? Have you done
> calculations on the time it takes to factor numbers using modern
> algorithms to produce them?

Yes, some - but I don't believe that's enough. Historically, it would 
not have been (and wasn't) - it doesn't take account of algorithm 

I actually based the 1,536-bit figure on the old RSA factoring 
challenges, and how long it took to break them.

We are publicly at 768 bits now, and that's very expensive 
http://eprint.iacr.org/2010/006.pdf - and, over the last twenty years 
the rate of public advance has been about 256 bits per decade.

So at that rate 1,536 bits would become possible but very expensive in 
2043, and would still be impossible in 2030.

If 1,024 is possible but very expensive for NSA now, and 256 bits per 
decade is right, then 1,536 may just be on the verge of edging into 
possibility in 2030 - but I think progress is going to slow (unless they 
develop quantum computers).

We have already found many of the "easy-to-find" advances in theory.

-- Peter Fairbrother

More information about the cryptography mailing list