[Cryptography] Anyone have information on Export 1024 RSA?
Thierry Moreau
thierry.moreau at connotech.com
Tue Jan 26 21:23:19 EST 2016
On 26/01/16 08:19 PM, Ryan Carboni wrote:
> It seems like the NSA would have been able to crack 1024 RSA up to ten
> years ago if true.
>
Ray Dillinger replied with relevant considerations.
There is a lot of speculation needed in this subject area.
When I search for academic publications on the RSA modulus size
recommendations, I prefer to rely first on the authors who consider only
published factorization efforts and results. Speculation comes after.
There was a talk by Dan Bernstein a few years ago title something like
"RSA modulus factorization beyond 1024 bits." He started with the
statement "anybody can do 1024 bits modulus as of now" (the audience was
not educated enough for a challenge to this, I guess; I was shy to ask
background info because I was admitted un-officially). Then he explained
the factorization method and explained that full exploitation of the GPU
architecture was the next step. I don't know if Dan Bernstein qualify as
an "author who consider only published factorization efforts and results."
In the related subject of ECC curve size, the academic publication
introducing curve448 ("Ed448-Goldilocks, a new elliptic curve" by Mike
Hamburg, http://eprint.iacr.org/2015/625.pdf ) has a neat explanation
about "overkill" security parameters for asymmetric crypto (where
non-overkill is 128 bits symmetric key security equivalency).
So, I guess another way to ask the question is:
"What RSA modulus size is equivalent to 128 bits security?"
Now, I take the liberty to speculate:
The RSA modulus size equivalent to 128 bits symmetric key security is in
the range 1280 to 1536 bits.
The NSA would like the switch from RSA to ECC to occur sooner than later.
In (having NIST) advocating RSA 2048 bits modulus, the NSA gains: the
performance advantage in favor of ECC is increased, and the switch away
from RSA comes earlier.
(as I write this, I realize that I do not even convince myself)
Also, the NSA wishes the crypto community to waste brain resource on
post-quantum crypto instead of fixing more mundane weaknesses in
deployed algorithms.
Enough speculation ... bye!
- Thierry
More information about the cryptography
mailing list