Beyond Curve25519
Milan Kral
milan.kral at azet.sk
Sun Jan 25 21:16:53 CET 2015
http://cr.yp.to/papers.html#batchnfs
The cryptographic community reached consensus a decade ago that a
1024-bit RSA key can be broken in a year by an attack machine costing
significatly less than 10^9 dollars.
See:
- Adi Shamir, Eran Tromer, Factoring large numbers with the TWIRL
device, in Crypto 2003
- Arjen K. Lenstra, Eran Tromer, Adi Shamir, Wil Kortsmit, Bruce Dodson,
James Hughes, Paul C. Leyland, Factoring estimates for a 1024-bit RSA
modulus, in Asiacrypt 2003
- Willi Geiselmann, Adi Shamir, Rainer Steinwandt, Eran Tromer, Scalable
hardware for sparse systems of linear equations, with applications to
integer factorization, in CHES 2005
- Jens Franke, Thorsten Kleinjung, Christof Paar, Jan Pelzl, Christine
Priplata,Colin Stahlke, SHARK: a realizable special hardware sieving
device for factoring 1024-bit integers, in CHES 2005
On 16.01.2015 18:24, Robert J. Hansen wrote:
>> Funny... people told that as well with RSA key sizes which are
>> nowadays no longer considered enough... o.O
>
> Back in the early 1990s, a 1024-bit RSA key was believed to be unassailable.
>
> A 1024-bit key is still today considered unassailable... it just doesn't
> have anywhere near the security margin that we want. We advise at least
> 2048-bit keys to give us a comfortable margin, not because we believe
> people are breaking 1024-bit keys.
>
> To give an idea: for distributed.net to exhaust a 64-shannon keyspace
> took them about five years. They're currently working on exhausting a
> 72-shannon keyspace, which they project will take about 200 years.
> Exhausting an 80-shannon keyspace (about the same as a 1024-bit RSA key)
> would take about 5,000 years at that pace, or one year and 5,000 times
> the resources of distributed.net.
>
> 1024-bit crypto is still strong today. It's just not as strong as we'd
> like and we can do better with few side effects, so let's do better. :)
>
>> It's really disturbing to read such statements (i.e. "xxx bit
>> security level will be secure forever - except for quantum
>> computers)... it seems as nothing would have been learned from the
>> past :-/
>
> No one will ever exhaust a 128-shannon keyspace until we have
> large-scale quantum computers and a few decades in which to operate.
>
> No one will ever exhaust a 256-shannon keyspace. Ever.
>
>
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>
More information about the Gnupg-devel
mailing list