On Thu, 1 Jul 2010 06:46:30 +0200 Dan Kaminsky <[email protected]> wrote:
> All, > > I've got a "perfect vs. good" question. > > NIST is pushing RSA-2048. And I think we all agree that's > probably a good thing. > > However, performance on RSA-2048 is too low for a number of real > world uses. > > Assuming RSA-2048 is unavailable, is it worth taking the > intermediate step of using RSA-1280? Or should we stick to RSA-1024? > > --Dan > Dan, I looked at the GNFS runtime and plugged a few numbers in. It seems RSA Security is using a more conservative constant of about 1.8 rather than the suggested 1.92299... See: http://mathworld.wolfram.com/NumberFieldSieve.html So using 1.8, a 1024 bit RSA key is roughly equivalent to a 81 bit symmetric key. Plugging in 1280 yields 89 bits. I'm of the opinion that if you take action to improve security, you should get more than 8 additional bits for your efforts. For example, 1536 shouldn't be that much slower but gives 96 bits of security. For posterity, here is a table using 1.8 for the GNFS constant: RSA Symmetric ---------------- 256 43.7 512 59.8 768 71.6 1024 81.2 1280 89.5 1536 96.8 2048 109.4 3072 129.9 4096 146.5 8192 195.1 Brandon --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
