Not sure why you mentioned that factoring only applies to DH. As you know in RSA n=p*q and pubk*prk=1 mod (totient(n))=1 mod (p-1)(q-1). Thus, if an attacker could factor n (find p and q in this case) and solve for prk. So, factoring big numbers (n in this case) equals to breaking RSA.
It is right that the primes in the paper were special and good SFNS targets. My argument was not that all 1024-bit RSA can be broken in 2 months. What I was saying was what the paper points out which is that there are weak 1024-bit n have been deployed and still exist which makes them good SNFS targets. If someone chose to keep deploying 1024 RSA, he is opening himself up for trouble. I am sorry, if security is the goal here, I could never agree that weak security with 1024-bit RSA can be considered security. Instead ECDSA and EdDSA are the secure and efficient options. +1 on WalnutDSA. Needs further analysis as it is pretty new. -----Original Message----- From: Derek Atkins [mailto:[email protected]] Sent: Thursday, February 09, 2017 12:38 PM To: Panos Kampanakis (pkampana) <[email protected]> Cc: Derek Atkins <[email protected]>; [email protected] Subject: RE: [Ace] Asymmetric signature performance Hi, On Thu, February 9, 2017 12:20 pm, Panos Kampanakis (pkampana) wrote: > > About factoring 1024-bits, > https://hal.inria.fr/hal-01376934/file/paper.pdf shows that a special > 1024-bit p was factored in 2 months. Also it explains that it is > possible to factor some primes used on the internet today. Going to > 1024 gives a false sense of security. Endorsing it in a standard to be > used for some years down the road makes me uncomfortable. 256-bit > ECDSA or EdDSA are more sufficient with good performance compared to RSA1024. Please do not mix up 1024-bit Diffie-Hellman and 1024-bit RSA. They are different mechanisms and depend on different underlying math. Everything you say above is about DH, which just does not apply when we're discussing RSA. You cannot "Factor a Prime"; by definition a prime's factors are 1 and itself (e.g. 11). Yes, it is possible to create a DH-prime that allows easy solutions to the discrete-log problem. And yes, it's easy to create an RSA key that's easily factored. However, factoring a "good" 1024-bit RSA key is not "2 months" of effort. c.f. https://en.wikipedia.org/wiki/RSA_numbers for a list of numbers and references to their factoring efforts over the years. Yes, 256-bit ECC is more secure than 1024-bit RSA (128-bit security vs 80-bit security). I cannot comment on the performance difference; I've been focusing on WalnutDSA which verifies orders of magnitude faster than either RSA or ECDSA. -derek -- Derek Atkins 617-623-3745 [email protected] www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
