[147113] in cryptography@c2.net mail archive
[Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Sat Sep 14 12:10:26 2013
X-Original-To: cryptography@metzdowd.com
Date: Sat, 14 Sep 2013 16:53:38 +0100
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Recommendations are given herein as: symmetric_key_length ->
recommended_equivalent_RSA_key_length, in bits.
Looking at Wikipedia, I see:
"As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in
strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit
symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA
claims that 1024-bit keys are likely to become crackable some time
between 2006 and 2010 and that 2048-bit keys are sufficient until 2030.
An RSA key length of 3072 bits should be used if security is required
beyond 2030.[6]"
http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/key-size.htm
That page doesn't give any actual recommendations or long-term dates
from RSA now. It gives the "traditional recommendations" 80 -> 1024 and
112 -> 2048, and a 2000 Lenstra/Verheul minimum commercial
recommendation for 2010 of 78 -> 1369.
"NIST key management guidelines further suggest that 15360-bit RSA keys
are equivalent in strength to 256-bit symmetric keys.[7]"
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
NIST also give the "traditional" recommendations, 80 -> 1024 and 112 ->
2048, plus 128 -> 3072, 192 -> 7680, 256 -> 15360.
I get that 1024 bits is about on the edge, about equivalent to 80 bits
or a little less, and may be crackable either now or sometime soon.
But, I wonder, where do these longer equivalent figures come from?
I don't know, I'm just asking - and I chose Wikipedia because that's the
general "wisdom".
Is this an area where NSA have "shaped the worldwide cryptography
marketplace to make it more tractable to advanced cryptanalytic
capabilities being developed by NSA/CSS", by perhaps greatly
exaggerating the equivalent lengths?
And by emphasising the difficulty of using longer keys?
As I said, I do not know. I merely raise the possibility.
[ Personally, I recommend 1,536 bit RSA keys and DH primes for security
to 2030, 2,048 if 1,536 is unavailable, 4,096 bits if paranoid/high
value; and not using RSA at all for longer term security. I don't know
whether someone will build that sort of quantum computer one day, but
they might. ]
-- Peter Fairbrother
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography