Eddy Nigg (StartCom Ltd.) wrote: > Jean-Marc Desperrier: >> Eddy Nigg (StartCom Ltd.) wrote: >> >>> [...] >>> However more interesting is this reference: >>> >> No, that is not more interesting. It's been known for a year or two that >> keys around 600 bits were broken, and it was therefore already quite >> obvious that 768 wasn't safe today. > > Well, that's what I knew and what I have been stating not so long ago on > this list, but I couldn't refer to any reference, even now, it's not > quite clear. I'd like to see some more details - do you have any?
Well I don't know why neither you nor Paul found it, maybe because you searched for exactly 650 bits, it should take only seconds to find references to the factorisation of RSA-640 and of RSA-200 (a 200 digits number that is in fact 663 bits long). http://www.rsa.com/rsalabs/node.asp?id=2879 http://www.loria.fr/%7Ezimmerma/records/factor.html Also I'd need to search for more reference, but I've been reading that the factorisation of the 2^1039-1 Mersenne number http://eprint.iacr.org/2007/205 is computationally equivalent to factoring an ordinary 700 bit number. In fact, it's right there in the publication : http://eprint.iacr.org/2007/205.pdf "7 Discussion [...] We estimate that the effort we spent would suffice to factor a 700-bit RSA modulus." >>[...] > > Yes, I have this also stated already, but Paul Hoffman had a counter > argument concerning some needed 128 GB memory available per machine. It's only the final step that requires a lot of memory. In practice, the laboratories that broke the above keys managed to get it, one should not rely too much on that. >> How much money is Verisign's 1024 bits"Class 3 Public Primary >> Certification Authority" worth for pirates ? Don't you think a lot ? > > Not really and we have exactly this been discussion here (see previous > threads). One of the suggestions was to have 1024 bit keys removed by > 2012, maybe 2013. In any case I think we should act on it and include > this requirement into the Mozilla CA policy. After reading this : http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=9504 and this http://forum.kaspersky.com/index.php?showtopic=71734 I'm now beginning to realize Kapersky might be much less concretely believing they can actually factore that key that I initially thought, but still 2012/2013 might be too late for the transition. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto