Hi, On Thu, February 9, 2017 12:20 pm, Panos Kampanakis (pkampana) wrote: > > About factoring 1024-bits, > https://hal.inria.fr/hal-01376934/file/paper.pdf shows that a special > 1024-bit p was factored in 2 months. Also it explains that it is possible > to factor some primes used on the internet today. Going to 1024 gives a > false sense of security. Endorsing it in a standard to be used for some > years down the road makes me uncomfortable. 256-bit ECDSA or EdDSA are > more sufficient with good performance compared to RSA1024.
Please do not mix up 1024-bit Diffie-Hellman and 1024-bit RSA. They are different mechanisms and depend on different underlying math. Everything you say above is about DH, which just does not apply when we're discussing RSA. You cannot "Factor a Prime"; by definition a prime's factors are 1 and itself (e.g. 11). Yes, it is possible to create a DH-prime that allows easy solutions to the discrete-log problem. And yes, it's easy to create an RSA key that's easily factored. However, factoring a "good" 1024-bit RSA key is not "2 months" of effort. c.f. https://en.wikipedia.org/wiki/RSA_numbers for a list of numbers and references to their factoring efforts over the years. Yes, 256-bit ECC is more secure than 1024-bit RSA (128-bit security vs 80-bit security). I cannot comment on the performance difference; I've been focusing on WalnutDSA which verifies orders of magnitude faster than either RSA or ECDSA. -derek -- Derek Atkins 617-623-3745 [email protected] www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
