Re: RSA key size and safety

On Sep 7, 12:39 pm, Andrew Haley <andre...@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
biject <biject.b...@xxxxxxxxx> wrote:
On Aug 26, 8:48?am, pubkeybreaker <pubkeybrea...@xxxxxxx> wrote:
On Aug 26, 10:41?am, George Orwell <nob...@xxxxxxxxxxxx> wrote:

http://www.keylength.com/

Has anyone seen these numbers? They're calculations for the estimated
safety period for different encryption algorithms.

What strikes me is that most of these predict that 4096 bits
assymmetric (RSA) will be safe for the next 50 years (or thereabouts).
However, the NIST recommends 7680 (for decades?) and even 15360 bits
for RSA (for centuries?).

Any one want to guess what their drift is?

I have no idea. ?Noone can predict that far out.
 I have been watching ever since RSA came out. It was not that long
ago when it was considered that keys of a 1000 bits would last longer
than till the sun burned out.

In 1991, [1] said

"For most applications a modulus size of 1024 bits should achieve a
sufficient level of security for "tactical" secrets for the next ten
years.  This is for long term secrecy purposes; for short term
authenticity purposes 512 bits might suffice in this century."

Andrew.

[1] Th. Beth, M. Frisch and G. Simmons, Public Key Cryptography: State
of the Art and Future Directions, LNCS 578, SpringerVerlag,1992

From what I see the 512-bit factorization occurred around 2000. So
that statement is fairly dead on. Even in the mid 90s when I was
getting into cryptography it was fairly common place to be using AT
LEAST 768-bit RSA keys. From what I understand, the QS and MPQS were
the systems used originally, so any time estimates were likely based
on those. A quick google suggests that the GNFS came around out of
the SNFS in the early 90s. Probably after that paper was written, so
all in all, the estimates were scientific.

One thing I see missing is the concept of forward secrecy. You should
always have in mind a system for renewing keys. They become insecure
for more reasons than just factorization. If you can't ever change
your public keys your system is fairly dead in the water.

Tom
.

Relevant Pages

  • Re: A question about modular exponentiation
    ... > One can also compute the private exponent in a slightly different way: ... > I ran tests on this, generating primes to produce RSA keys ... Therefore, d is inverse of e both for mod lambda, and for phi. ...
    (sci.crypt)
  • Re: SSH keys: RSA vs DSA
    ... >> Ssh protocol version 2 can use RSA as well as DSA keys. ... > DSA is an old and fairly weak encryption, ...
    (comp.os.linux.security)
  • Re: CryptoAPI Hard Coding Keys, Help
    ... You can use RSA, DH/DSA or ECDSA - but you should first check what Windows ... // key container name. ... printf(" Create a default container and generate keys \n"); ... "Generating Keys \n"); ...
    (microsoft.public.platformsdk.security)
  • Re: newbie Qs about RSA, OAEP
    ... > Are there recommended minimum/maximum lengths for RSA keys? ... RSA block, you encrypt the message with a block cipher, and encrypt only ... each protocol has its own way of indicating length. ...
    (sci.crypt)
  • Re: Extended Keyboard II
    ... hideous USB keyboard (Keys too wide, ... If the EKII is dead, ...
    (uk.comp.sys.mac)