Re: [Cfrg] 1024 bit RSA

John Mattsson <> Sat, 05 November 2016 09:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2DFC4129581 for <>; Sat, 5 Nov 2016 02:20:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s6yo8TYGZlvd for <>; Sat, 5 Nov 2016 02:20:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 33659129496 for <>; Sat, 5 Nov 2016 02:20:55 -0700 (PDT)
X-AuditID: c1b4fb3a-83dd4980000070a2-26-581da475e5e7
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 5D.33.28834.574AD185; Sat, 5 Nov 2016 10:20:53 +0100 (CET)
Received: from ([]) by ([]) with mapi id 14.03.0319.002; Sat, 5 Nov 2016 10:20:52 +0100
From: John Mattsson <>
To: Erik Andersen <>, Cfrg <>
Thread-Topic: [Cfrg] 1024 bit RSA
Date: Sat, 5 Nov 2016 09:20:51 +0000
Message-ID: <>
References: <> <> <> <000001d23743$b81c61d0$28552570$>
In-Reply-To: <000001d23743$b81c61d0$28552570$>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsUyM2K7q27pEtkIgy9P+Sy6fxxkspjU/ZnR gclj8sbDbB6HJ75jCmCK4rJJSc3JLEst0rdL4MpoP9/KXvBMo2L+lk+sDYwP1LsYOTkkBEwk zs//xN7FyMUhJLCOUeJzzy1mCGcRo0Rv4xtGkCo2AQOJuXsa2EBsEQFTiYXvfrOC2MICChKT Wg6xQ8QVJU6c7mGBsN0kfj34BRZnEVCRaD75DizOK2AuMWfqaagFdxglzq1bATSIg4NTwEzi 3gd+kBpGATGJ76fWMIHYzALiEreezGeCuFRAYsme88wQtqjEy8f/wG4QFdCTePb5OTtEXEmi cckTsJHMApoS63fpQ4yxluja+ZAFwlaUmNL9kB3iHEGJkzOfsExgFJuFZNsshO5ZSLpnIeme haR7ASPrKkbR4tTi4tx0IyO91KLM5OLi/Dy9vNSSTYzAqDq45bfVDsaDzx0PMQpwMCrx8BYs kokQYk0sK67MPcQowcGsJMLrMV82Qog3JbGyKrUoP76oNCe1+BCjNAeLkjiv2cr74UIC6Ykl qdmpqQWpRTBZJg5OqQbGkAfOKgVu9gnH7n2UKmhnm9Zf1PHsm/zxBedOJf2v6t3IkFH2f8/J 2N8GZ51kV6pPX7EpJ00qfdNmbXVTmUX6N+UU7n78eXpijIe8w1mdGV6LmhJ8NG2K85L4v17m ufnXu99L+2Tz8rPOjwW+hjbP1Tu3r8yyVNG/d9du7sjFqoLrref07OJXYinOSDTUYi4qTgQA lVuxfqYCAAA=
Archived-At: <>
Subject: Re: [Cfrg] 1024 bit RSA
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 05 Nov 2016 09:20:57 -0000

According to the formula in Section 6 of the ECRYPT report [1] on key
lengths, which I think is the state-of-the-art, RSA-1024 offers 73 bit of
security, not 80 bit.

NIST has quite reasonable recommendation [2], and they requirements where
to stop using RSA-1024 no later than 2009.

Section 4 of [3] contains a good analysis on the related problem of
breaking DH-1024. They show that breaking generic DH-1024 in under a year
is plausibly for SIGINTs on the order of hundreds of millions of dollars
(using publicly known cryptanalysis).

Even if RSA-1024 is not currently a super soft spot, it likely to quickly
become one.





On 05/11/16 10:05, "Cfrg on behalf of Erik Andersen"
< on behalf of> wrote:

>All the comments have been quite useful. Let me express my concern.
>There is a cyber war out there and it is been use politically.
>When it comes to smart grid, it will be very depending on a complex IT
>infrastructure (primarily using SCADA protocols). Our electricity networks
>are very critical infrastructures. The Ukraine black-out is a warning
>what we might expect. My country (Denmark) and our allies are not always
>acting as other great powers may want. The threat to bring down a critical
>infrastructure could affect the policy making. We should not leave too
>soft spots in our defence wall. My question was actually. Is a 1024 RSA
>such a soft spot? From what I hear, the answer might be yes.
>-----Oprindelig meddelelse-----
>Fra: Cfrg [] På vegne af Peter Gutmann
>Sendt: 05 November 2016 04:51
>Til: Ilari Liusvaara <>; Hal Murray
>Cc: Cfrg <>
>Emne: Re: [Cfrg] 1024 bit RSA
>Ilari Liusvaara <> writes:
>>In summary, I would guess that factoring RSA 1024 keys would be within
>>reach of groups who could do ASIC design and then ordering custom chips
>>Of course, that's still many millions, so one would need the financial
>>case of spending that much money (it is going to be millions of dollars
>>at the very least).
>And that's the key point, would anyone bother?  There's always the
>hypothetical government-level attacker with magical access to infinite
>resources lurking in the shadows, but as Snowden has shown, they don't
>to spend that much to get in, or build crypto-breakers to do it.  If I was
>an NSA program manager and someone came to me and said "we need $100M to
>build an ASIC-based RSA cracker, which we should have tested, debugged,
>operational in two years", I'd reply "here's a full *one hundredth* of
>amount, you've got a week to get in by backdooring or subverting or
>or whatever"
>(with an optional side-order of "yer lazy bastard" in an Ernest Borgnine
>Even if there was absolutely no other way in, I can't see how you could
>justify building something like that unless you were using it to attack
>something of extraordinarily high value like the single RSA-1024 key that
>the Kremlin uses to communicate with all its local offices.  DH group 2
>(group 1 in SSH terminology), sure (although an RSA-breaker can't do
>anything with those anyway), but some random RSA key somewhere?
>Cfrg mailing list
>Cfrg mailing list