Beyond Curve25519

Milan Kral milan.kral at
Sun Jan 25 21:16:53 CET 2015

The cryptographic community reached consensus a decade ago that a
1024-bit RSA key can be broken in a year by an attack machine costing
significatly less than 10^9 dollars.


- Adi Shamir, Eran Tromer, Factoring large numbers with the TWIRL
device, in Crypto 2003

- Arjen K. Lenstra, Eran Tromer, Adi Shamir, Wil Kortsmit, Bruce Dodson,
James Hughes, Paul C. Leyland, Factoring estimates for a 1024-bit RSA
modulus, in Asiacrypt 2003

- Willi Geiselmann, Adi Shamir, Rainer Steinwandt, Eran Tromer, Scalable
hardware for sparse systems of linear equations, with applications to
integer factorization, in CHES 2005

- Jens Franke, Thorsten Kleinjung, Christof Paar, Jan Pelzl, Christine
Priplata,Colin Stahlke, SHARK: a realizable special hardware sieving
device for factoring 1024-bit integers, in CHES 2005

On 16.01.2015 18:24, Robert J. Hansen wrote:
>> Funny... people told that as well with RSA key sizes which are 
>> nowadays no longer considered enough... o.O
> Back in the early 1990s, a 1024-bit RSA key was believed to be unassailable.
> A 1024-bit key is still today considered unassailable... it just doesn't
> have anywhere near the security margin that we want.  We advise at least
> 2048-bit keys to give us a comfortable margin, not because we believe
> people are breaking 1024-bit keys.
> To give an idea: for to exhaust a 64-shannon keyspace
> took them about five years.  They're currently working on exhausting a
> 72-shannon keyspace, which they project will take about 200 years.
> Exhausting an 80-shannon keyspace (about the same as a 1024-bit RSA key)
> would take about 5,000 years at that pace, or one year and 5,000 times
> the resources of
> 1024-bit crypto is still strong today.  It's just not as strong as we'd
> like and we can do better with few side effects, so let's do better.  :)
>> It's really disturbing to read such statements (i.e. "xxx bit 
>> security level will be secure forever - except for quantum 
>> computers)... it seems as nothing would have been learned from the 
>> past :-/
> No one will ever exhaust a 128-shannon keyspace until we have
> large-scale quantum computers and a few decades in which to operate.
> No one will ever exhaust a 256-shannon keyspace.  Ever.
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at

More information about the Gnupg-devel mailing list