[18892] in cryptography@c2.net mail archive
Re: RSA-640 factored
daemon@ATHENA.MIT.EDU (Bill Stewart)
Thu Nov 10 09:22:52 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 09 Nov 2005 18:54:08 -0800
To: cryptography@metzdowd.com
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <iluslu5afps.fsf@latte.josefsson.org>
At 09:33 AM 11/9/2005, Simon Josefsson wrote:
>Victor Duchovni <Victor.Duchovni@MorganStanley.com> writes:
> > It is not reasonable, because the biggest constraint is memory, not
> > CPU. Inverting the matrix requires increasingly prohitive quantities
> > of RAM. Read the DJB hardware GNFS proposal.
>
>Can we deduct a complexity expression from it, that could be used to
>(at least somewhat reliably) predict the cost of cracking RSA-768 or
>or RSA-1024, based on the timing information given in this report?
>The announcement doesn't say how much memory these machines had,
The most important thing it tells us is that the workload for
cracking RSA-768 has definitely moved from
"No, Never!" to "Well, Hardly Ever", so in case anybody was still
thinking about using 768-bit or shorter keys,
they should now know better. The fact that it only took 80 boxes 5 months
to crack 640-bit means that an attacker with an NSA-sized budget
is definitely a threat to 768-bit keys,
even if they're not necessarily commercially cost-effective to crack.
Separately, Shamir's work on various crypto-magical factorization machines
has also meant that 1024-bit keys aren't safe from organizations
with large science budgets.
Bill Stewart
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
