On Sun, 8 Sep 2013, Peter Fairbrother wrote:
> On the one hand, if they continued to recommend that government people use
> 1024-bit RSA they could be accused of failing their mission to protect
> government communications.
> On the other hand, if they told ordinary people not to use 1024-bit RSA, they
> could be accused of failing their mission to spy on people.
> What to do?

NIST recommends at least RSA-2048 for a long time, for example NIST 
Special Publication 800-57, back in August, 2005 said:

 [...] for Federal Government unclassified applications. A minimum of 
 eighty bits of security shall be provided until 2010. Between 2011 
 and 2030, a minimum of 112 bits of security shall be provided. 
 Thereafter, at least 128 bits of security shall be provided.

Note that

 RSA-1024 ~ 80 bits of security; 
 RSA-2048 ~ 112 bits; 
 RSA-3072 ~ 128 bits 

So if anyone to blame for using 1024-bit RSA, it is not NIST.

BTW, once you realize that 256 bits of security requires RSA with 
15360 bits, you will believe conspiracy theories about ECC much less. 
Here exponentiation with 15360 bits takes 15^3=3375 times more CPU 
time than a 1024-bit exponentiation, thus using RSA for 256-bit 
security is impractical.

> You can use any one of trillions of different elliptic curves,which should be
> chosen partly at random and partly so they are the right size and so on; but
> you can also start with some randomly-chosen numbers then work out a curve
> from those numbers. and you can use those random numbers to break the session
> key setup.

Can you elaborate on how knowing the seed for curve generation can be 
used to break the encryption? (BTW, the seeds for randomly generated 
curves are actually published.)

The cryptography mailing list

Reply via email to