At 09:33 AM 11/9/2005, Simon Josefsson wrote:
Victor Duchovni <[EMAIL PROTECTED]> writes:
> It is not reasonable, because the biggest constraint is memory, not
> CPU. Inverting the matrix requires increasingly prohitive quantities
> of RAM. Read the DJB hardware GNFS proposal.
Can we deduct a complexity expression from it, that could be used to
(at least somewhat reliably) predict the cost of cracking RSA-768 or
or RSA-1024, based on the timing information given in this report?
The announcement doesn't say how much memory these machines had,
The most important thing it tells us is that the workload for
cracking RSA-768 has definitely moved from
"No, Never!" to "Well, Hardly Ever", so in case anybody was still
thinking about using 768-bit or shorter keys,
they should now know better. The fact that it only took 80 boxes 5 months
to crack 640-bit means that an attacker with an NSA-sized budget
is definitely a threat to 768-bit keys,
even if they're not necessarily commercially cost-effective to crack.
Separately, Shamir's work on various crypto-magical factorization machines
has also meant that 1024-bit keys aren't safe from organizations
with large science budgets.
Bill Stewart
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
