On Sat, Sep 14, 2013 at 12:56:02PM -0400, Perry E. Metzger wrote:
| requirement | Symmetric | RSA or DH | DSA subgroup |
| for attack | key size | modulus size | size |
| 100 | 100 | 1926 | 186 |
if TWIRL like machines appear, we could presume an 11 bit reduction in
100-11 = 89 bits. Bitcoin is pushing 75 bits/year right
now with GPUs and 65nm ASICs (not sure what balance). Does that place ~2000
bit modulus around the safety margin of 56-bit DES when that was being
argued about (the previous generation NSA key-strength sabotage)?
Anyone have some projections for the cost of a TWIRL to crack 2048 bit RSA?
Projecting 2048 out to a 2030 doesnt seem like a hugely conservative
estimate. Bear in mind NSA would probably be willing to drop $1b one-off to
be able to crack public key crypto for the next decade. There have been
cost and performance, power, density improvements since TWIRL was proposed.
Maybe the single largest employer of mathematicians can squeeze a few
incremetal optimizations of the TWIRL algorithm or implementation strategy.
Tin foil or not: maybe its time for 3072 RSA/DH and 384/512 ECC?
The cryptography mailing list