re). Factoring RSA-1024 by NFS costs around 2^80 operations.
Thus, I believe that 4-prime RSA-2048 is slightly easier than 2-prime
RSA-2048, but still significantly harder than RSA-1024.
Best regards,
Samuel Neves
-
The Cryptog
On 30-09-2010 18:32, Thor Lancelot Simon wrote:
> On Thu, Sep 30, 2010 at 05:18:56PM +0100, Samuel Neves wrote:
>> One solution would be to use 2048-bit 4-prime RSA. It would maintain the
>> security of RSA-2048, enable the reusing of the modular arithmetic units
>> of 10
t put these
> devices in front of some applications at all.
One solution would be to use 2048-bit 4-prime RSA. It would maintain the
security of RSA-2048, enable the reusing of the modular arithmetic units
of 1024 bit VLSI
Forwarded at Andrew's request.
Original Message
Subject: Re: 2048-bit RSA keys
Date: Tue, 17 Aug 2010 19:11:55 -0500 (CDT)
From: Andrew Odlyzko
To: Samuel Neves
CC: cryptography@metzdowd.com
It is not unreasonable to consider the possibili
s).
It is not unreasonable to think that a small(ish) improvement to the
number field sieve could significantly lower the strength of current
keys. It *looks* more likely to happen than a significant improvement on
the speed of ECDLP breaking (I'll make no bets on AES, though).
Best regards,
Samuel Neves
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
If an attacker creating a special-purpose machine to break your keys is
a realistic scenario, why are you even considering keys of that size?
Best regards,
Samuel Neves
On 15-08-2010 04:25, John Gilmore wrote:
>>> ... 2048-bit keys performing
>&g
exponent can be further lowered from that (somewhere between 1.6 and
1.7) --- RSA-768 took about 2^67 Opteron instructions to complete, and
RSA-512 can be done in about 2^54 similar operations (it is in the realm
of possibility for a single box over a few days/weeks).
Best regards,
Samuel Neves
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
blem. There are also the schemes by Goh et al. [2] that are
reducible to the CDH and DDH problems in generic abelian groups (like
EC.) Would patents also apply to one of these schemes over an elliptic
curve?
Best regards,
Samuel Neves
[1] http://www.cacr.math.uwaterloo.ca/techreports/2000/co
rithm computation,
that takes (relatively) negligible storage and communication, the number
field sieve requires massive amounts of data, and the linear algebra
step could become (even more of) a problem.
Best regards,
Samuel Neves
[1] http://eprint.iacr.org/2010/006
[2] http://eprint.iacr.org/2009/38