On Sat, Sep 14, 2013 at 12:56:02PM -0400, Perry E. Metzger wrote:

http://tools.ietf.org/html/rfc3766| requirement | Symmetric | RSA or DH | DSA subgroup | | for attack | key size | modulus size | size | +-------------+-----------+--------------+--------------+ | 100 | 100 | 1926 | 186 | if TWIRL like machines appear, we could presume an 11 bit reduction in strength

100-11 = 89 bits. Bitcoin is pushing 75 bits/year right now with GPUs and 65nm ASICs (not sure what balance). Does that place ~2000 bit modulus around the safety margin of 56-bit DES when that was being argued about (the previous generation NSA key-strength sabotage)?

`Anyone have some projections for the cost of a TWIRL to crack 2048 bit RSA?`

`Projecting 2048 out to a 2030 doesnt seem like a hugely conservative`

estimate. Bear in mind NSA would probably be willing to drop $1b one-off to be able to crack public key crypto for the next decade. There have been

`cost and performance, power, density improvements since TWIRL was proposed.`

`Maybe the single largest employer of mathematicians can squeeze a few`

incremetal optimizations of the TWIRL algorithm or implementation strategy. Tin foil or not: maybe its time for 3072 RSA/DH and 384/512 ECC? Adam _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography