[Cryptography] RSA equivalent key length/strength

Sat, 14 Sep 2013 09:11:42 -0700

Recommendations are given herein as: symmetric_key_length -> recommended_equivalent_RSA_key_length, in bits. 

Looking at Wikipedia,  I see:
"As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030.[6]" 

http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/key-size.htm
That page doesn't give any actual recommendations or long-term dates from RSA now. It gives the "traditional recommendations" 80 -> 1024 and 112 -> 2048, and a 2000 Lenstra/Verheul minimum commercial recommendation for 2010 of 78 -> 1369.
"NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.[7]" 

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
NIST also give the "traditional" recommendations, 80 -> 1024 and 112 -> 2048, plus 128 -> 3072, 192 -> 7680, 256 -> 15360.
I get that 1024 bits is about on the edge, about equivalent to 80 bits or a little less, and may be crackable either now or sometime soon. 

But, I wonder, where do these longer equivalent figures come from?
I don't know, I'm just asking - and I chose Wikipedia because that's the general "wisdom".
Is this an area where NSA have "shaped the worldwide cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS", by perhaps greatly exaggerating the equivalent lengths? 

And by emphasising the difficulty of using longer keys?

As I said, I do not know. I merely raise the possibility.
[ Personally, I recommend 1,536 bit RSA keys and DH primes for security to 2030, 2,048 if 1,536 is unavailable, 4,096 bits if paranoid/high value; and not using RSA at all for longer term security. I don't know whether someone will build that sort of quantum computer one day, but they might. ] 


-- Peter Fairbrother
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to