On 14/09/13 17:14, Perry E. Metzger wrote:
On Sat, 14 Sep 2013 16:53:38 +0100 Peter Fairbrother
<zenadsl6...@zen.co.uk> wrote:
NIST also give the "traditional" recommendations, 80 -> 1024 and 112
-> 2048, plus 128 -> 3072, 192 -> 7680, 256 -> 15360.
[...]
But, I wonder, where do these longer equivalent figures come from?
I don't know, I'm just asking - and I chose Wikipedia because that's
the general "wisdom".
[...]
[ Personally, I recommend 1,536 bit RSA keys and DH primes for
security to 2030, 2,048 if 1,536 is unavailable, 4,096 bits if
paranoid/high value; and not using RSA at all for longer term
security. I don't know whether someone will build that sort of
quantum computer one day, but they might. ]
On what basis do you select your numbers? Have you done
calculations on the time it takes to factor numbers using modern
algorithms to produce them?
Yes, some - but I don't believe that's enough. Historically, it would
not have been (and wasn't) - it doesn't take account of algorithm
development.
I actually based the 1,536-bit figure on the old RSA factoring
challenges, and how long it took to break them.
We are publicly at 768 bits now, and that's very expensive
http://eprint.iacr.org/2010/006.pdf - and, over the last twenty years
the rate of public advance has been about 256 bits per decade.
So at that rate 1,536 bits would become possible but very expensive in
2043, and would still be impossible in 2030.
If 1,024 is possible but very expensive for NSA now, and 256 bits per
decade is right, then 1,536 may just be on the verge of edging into
possibility in 2030 - but I think progress is going to slow (unless they
develop quantum computers).
We have already found many of the "easy-to-find" advances in theory.
-- Peter Fairbrother
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
