On 30-09-2010 16:41, Thor Lancelot Simon wrote: > On Wed, Sep 29, 2010 at 09:22:38PM -0700, Chris Palmer wrote: >> Thor Lancelot Simon writes: >> >>> a significant net loss of security, since the huge increase in >>> computation required will delay or prevent the deployment of >>> "SSL everywhere". >> >> That would only happen if we (as security experts) allowed web >> developers to believe that the speed of RSA is the limiting factor >> for web application performance. > > At 1024 bits, it is not. But you are looking at a factor of *9* > increase in computational cost when you go immediately to 2048 bits. > At that point, the bottleneck for many applications shifts, > particularly those which are served by offload engines specifically > to move the bottleneck so it's not RSA in the first place.

... > At present, these devices use the highest performance modular-math > ASICs available and can just about keep up with current web > applications' transaction rates. Make the modular math an order of > magnitude slower and suddenly you will find you can't put these > devices in front of some applications at all. One solution would be to use 2048-bit 4-prime RSA. It would maintain the security of RSA-2048, enable the reusing of the modular arithmetic units of 1024 bit VLSI chips and keep ECM factoring at bay. The added cost would only be a factor of ~2, instead of ~8. Best regards, Samuel Neves --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com