[145297] in cryptography@c2.net mail archive
Re: [TIME_WARP] 1280-Bit RSA
daemon@ATHENA.MIT.EDU (Dan Kaminsky)
Fri Jul 9 18:50:49 2010
In-Reply-To: <20100709213323.3362cb23@gamma>
Date: Sat, 10 Jul 2010 00:19:44 +0200
From: Dan Kaminsky <dan@doxpara.com>
To: Brandon Enright <bmenrigh@ucsd.edu>
Cc: cryptography@metzdowd.com
Dan,
>
> I looked at the GNFS runtime and plugged a few numbers in. It seems
> RSA Security is using a more conservative constant of about 1.8 rather
> than the suggested 1.92299...
>
> See:
> http://mathworld.wolfram.com/NumberFieldSieve.html
>
> So using 1.8, a 1024 bit RSA key is roughly equivalent to a 81 bit
> symmetric key. Plugging in 1280 yields 89 bits.
>
> I'm of the opinion that if you take action to improve security, you
> should get more than 8 additional bits for your efforts. For example,
> 1536 shouldn't be that much slower but gives 96 bits of security.
>
Here's the actual data, in terms of transactions per second, I'm getting for
a sample app:
512: 710.042382
1024: 187.187719
1280: 108.592265
1536: 73.314751
2048: 20.645645
2048 ain't happening. The relative diff between 1280 and 1536 is
interesting though.
>
> For posterity, here is a table using 1.8 for the GNFS constant:
>
> RSA Symmetric
> ----------------
> 256 43.7
> 512 59.8
> 768 71.6
> 1024 81.2
> 1280 89.5
> 1536 96.8
> 2048 109.4
> 3072 129.9
> 4096 146.5
> 8192 195.1
>
>
Do other cracking mechanisms have similar curves to GNFS (with different
constants)?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
