[145296] in cryptography@c2.net mail archive
Re: [TIME_WARP] 1280-Bit RSA
daemon@ATHENA.MIT.EDU (Brandon Enright)
Fri Jul 9 18:16:21 2010
Date: Fri, 9 Jul 2010 21:33:23 +0000
From: Brandon Enright <bmenrigh@ucsd.edu>
To: Dan Kaminsky <dan@doxpara.com>
Cc: cryptography@metzdowd.com, bmenrigh@ucsd.edu
In-Reply-To: <AANLkTilBXzndOa5TyFYTJI2jSRmsBDp7GcW3NDYUGTuq@mail.gmail.com>
On Thu, 1 Jul 2010 06:46:30 +0200
Dan Kaminsky <dan@doxpara.com> wrote:
> All,
>
> I've got a "perfect vs. good" question.
>
> NIST is pushing RSA-2048. And I think we all agree that's
> probably a good thing.
>
> However, performance on RSA-2048 is too low for a number of real
> world uses.
>
> Assuming RSA-2048 is unavailable, is it worth taking the
> intermediate step of using RSA-1280? Or should we stick to RSA-1024?
>
> --Dan
>
Dan,
I looked at the GNFS runtime and plugged a few numbers in. It seems
RSA Security is using a more conservative constant of about 1.8 rather
than the suggested 1.92299...
See:
http://mathworld.wolfram.com/NumberFieldSieve.html
So using 1.8, a 1024 bit RSA key is roughly equivalent to a 81 bit
symmetric key. Plugging in 1280 yields 89 bits.
I'm of the opinion that if you take action to improve security, you
should get more than 8 additional bits for your efforts. For example,
1536 shouldn't be that much slower but gives 96 bits of security.
For posterity, here is a table using 1.8 for the GNFS constant:
RSA Symmetric
----------------
256 43.7
512 59.8
768 71.6
1024 81.2
1280 89.5
1536 96.8
2048 109.4
3072 129.9
4096 146.5
8192 195.1
Brandon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
