Re: 2048 bits, damn the electrons! [...@openssl.org: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]

re). Factoring RSA-1024 by NFS costs around 2^80 operations. Thus, I believe that 4-prime RSA-2048 is slightly easier than 2-prime RSA-2048, but still significantly harder than RSA-1024. Best regards, Samuel Neves - The Cryptog

Re: 2048 bits, damn the electrons! [...@openssl.org: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]

On 30-09-2010 18:32, Thor Lancelot Simon wrote: > On Thu, Sep 30, 2010 at 05:18:56PM +0100, Samuel Neves wrote: >> One solution would be to use 2048-bit 4-prime RSA. It would maintain the >> security of RSA-2048, enable the reusing of the modular arithmetic units >> of 10

Re: 2048 bits, damn the electrons! [...@openssl.org: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]

t put these > devices in front of some applications at all. One solution would be to use 2048-bit 4-prime RSA. It would maintain the security of RSA-2048, enable the reusing of the modular arithmetic units of 1024 bit VLSI

Re: 2048-bit RSA keys

Forwarded at Andrew's request. Original Message Subject: Re: 2048-bit RSA keys Date: Tue, 17 Aug 2010 19:11:55 -0500 (CDT) From: Andrew Odlyzko To: Samuel Neves CC: cryptography@metzdowd.com It is not unreasonable to consider the possibili

Re: 2048-bit RSA keys

s). It is not unreasonable to think that a small(ish) improvement to the number field sieve could significantly lower the strength of current keys. It *looks* more likely to happen than a significant improvement on the speed of ECDLP breaking (I'll make no bets on AES, though). Best regards, Samuel Neves - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: non 2048-bit keys

If an attacker creating a special-purpose machine to break your keys is a realistic scenario, why are you even considering keys of that size? Best regards, Samuel Neves On 15-08-2010 04:25, John Gilmore wrote: >>> ... 2048-bit keys performing >&g

Re: 1280-Bit RSA

exponent can be further lowered from that (somewhere between 1.6 and 1.7) --- RSA-768 took about 2^67 Opteron instructions to complete, and RSA-512 can be done in about 2^54 similar operations (it is in the realm of possibility for a single box over a few days/weeks). Best regards, Samuel Neves - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: What's the state of the art in factorization?

blem. There are also the schemes by Goh et al. [2] that are reducible to the CDH and DDH problems in generic abelian groups (like EC.) Would patents also apply to one of these schemes over an elliptic curve? Best regards, Samuel Neves [1] http://www.cacr.math.uwaterloo.ca/techreports/2000/co

Re: What's the state of the art in factorization?

rithm computation, that takes (relatively) negligible storage and communication, the number field sieve requires massive amounts of data, and the linear algebra step could become (even more of) a problem. Best regards, Samuel Neves [1] http://eprint.iacr.org/2010/006 [2] http://eprint.iacr.org/2009/38