[Cryptography] Anyone have information on Export 1024 RSA?

Thierry Moreau thierry.moreau at connotech.com
Tue Jan 26 21:23:19 EST 2016


On 26/01/16 08:19 PM, Ryan Carboni wrote:
> It seems like the NSA would have been able to crack 1024 RSA up to ten
> years ago if true.
>

Ray Dillinger replied with relevant considerations.

There is a lot of speculation needed in this subject area.

When I search for academic publications on the RSA modulus size 
recommendations, I prefer to rely first on the authors who consider only 
published factorization efforts and results. Speculation comes after.

There was a talk by Dan Bernstein a few years ago title something like 
"RSA modulus factorization beyond 1024 bits." He started with the 
statement "anybody can do 1024 bits modulus as of now" (the audience was 
not educated enough for a challenge to this, I guess; I was shy to ask 
background info because I was admitted un-officially). Then he explained 
the factorization method and explained that full exploitation of the GPU 
architecture was the next step. I don't know if Dan Bernstein qualify as 
an "author who consider only published factorization efforts and results."

In the related subject of ECC curve size, the academic publication 
introducing curve448 ("Ed448-Goldilocks, a new elliptic curve" by Mike 
Hamburg, http://eprint.iacr.org/2015/625.pdf ) has a neat explanation 
about "overkill" security parameters for asymmetric crypto (where 
non-overkill is 128 bits symmetric key security equivalency).

So, I guess another way to ask the question is:
"What RSA modulus size is equivalent to 128 bits security?"

Now, I take the liberty to speculate:

The RSA modulus size equivalent to 128 bits symmetric key security is in 
the range 1280 to 1536 bits.

The NSA would like the switch from RSA to ECC to occur sooner than later.

In (having NIST) advocating RSA 2048 bits modulus, the NSA gains: the 
performance advantage in favor of ECC is increased, and the switch away 
from RSA comes earlier.

(as I write this, I realize that I do not even convince myself)

Also, the NSA wishes the crypto community to waste brain resource on 
post-quantum crypto instead of fixing more mundane weaknesses in 
deployed algorithms.

Enough speculation ... bye!

- Thierry



More information about the cryptography mailing list