On Oct 17, 2009, at 5:23 AM, John Gilmore wrote:
Even using keys that have a round number of bits is foolish, in my
opinion. If you were going to use about 2**11th bits, why not 2240
bits, or 2320 bits, instead of 2048? Your software already handles
2240 bits if it can handle 2048, and it's only a tiny bit slower and
larger -- but a 2048-bit RSA cracker won't crack your 2240-bit key.
If this crypto community was serious about resistance to RSA key
factoring, the most popular key generation software would be picking
key sizes *at random* within a wide range beyond the number of bits
demanded for application security. That way, there'd be no "sweet
spots" at 1024 or 2048. As it is today, if NSA (or any major country,
organized crime group, or civil rights nonprofit) built an RSA key
cracker, more than 50% of the RSA keys in use would fall prey to a
cracker that ONLY handled 1024-bit keys. It's probably more like
80-90%, actually. Failing to use 1056, 1120, 1168-bit, etc, keys is
just plain stupid on our (the defenders') part; it's easy to automate
the fix.
What factoring algorithms would be optimized for a fixed number of
bits? I suppose one could have hardware that had 1024-bit registers,
which would limit you to no more than 1024 bits; but I can't think of
a factoring algorithm that works for 1024 bits, the top one of which
is 1, but not at least equally well when that top bit happens to be 0.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
