Re: [Cfrg] 1024 bit RSA
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 04 November 2016 21:23 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 972EA1296B0 for <cfrg@ietfa.amsl.com>; Fri, 4 Nov 2016 14:23:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EPxL-9Ax96m9 for <cfrg@ietfa.amsl.com>; Fri, 4 Nov 2016 14:23:54 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 11976129697 for <cfrg@irtf.org>; Fri, 4 Nov 2016 14:23:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 9976711583; Fri, 4 Nov 2016 23:23:51 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id mHkOgQX8lBv9; Fri, 4 Nov 2016 23:23:51 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 0C5892313; Fri, 4 Nov 2016 23:23:51 +0200 (EET)
Date: Fri, 04 Nov 2016 23:23:48 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Hal Murray <hmurray@megapathdsl.net>
Message-ID: <20161104212348.GA20439@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20161104210313.4C668406061@ip-64-139-1-69.sjc.megapath.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20161104210313.4C668406061@ip-64-139-1-69.sjc.megapath.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vDwvYd2akNleGMkEqyxgByx00tA>
Cc: Cfrg <cfrg@irtf.org>
Subject: Re: [Cfrg] 1024 bit RSA
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2016 21:23:55 -0000
On Fri, Nov 04, 2016 at 02:03:13PM -0700, Hal Murray wrote: > > phill@hallambaker.com said: > > So expect RSA 1024 to certainly fall by 2030 and probably by 2025. > > What are the right units for that discussion? > > I think it has to include cost and time-to-solve. For compute-intensive > approaches that parallize, the time part drops out. There are probably 2 > paths, one using COTS gear and another using ASICs. > > Is there something like Moore's Law for breaking crypto? (Warning: Pretty pure guessing ahead.) I think it depends on what you are talking about: Using CPUs vs. ASICs. For CPUs, I think the improvements of Moore's law mostly go to very modest performance improvements (and to reducing power usage). Of course, Moore's law might have slowed down by now... And will probably halt soon (I don't imagine transition off Si being that smooth... There have been enormous amounts of infrastructure invested on Si). For ASICs, those improvments probably could mostly go to improving performance. The main limit is heat dissipiation. And when it comes to cost of building ASICs, the costs are mostly upfront (design, masks, etc... are very expensive). Manufacturing ASICs (at least if using ordinary digital-only processes) is quite cheap. So once one has design and masks for ASIC, one can cheaply get massive number of copies. And ASICs can be quite specialized. One fortunate aspect with RSA is that the final step of factoring involves quite a lot of memory use. But it takes relatively little time (most of the work is in sieving). In summary, I would guess that factoring RSA 1024 keys would be within reach of groups who could do ASIC design and then ordering custom chips off fabs. Of course, that's still many millions, so one would need the financial case of spending that much money (it is going to be millions of dollars at the very least). -Ilari
- Re: [Cfrg] 1024 bit RSA Derek Atkins
- Re: [Cfrg] 1024 bit RSA Peter Gutmann
- Re: [Cfrg] 1024 bit RSA Hanno Böck
- [Cfrg] 1024 bit RSA Erik Andersen
- Re: [Cfrg] 1024 bit RSA Phillip Hallam-Baker
- Re: [Cfrg] 1024 bit RSA Paul Grubbs
- Re: [Cfrg] 1024 bit RSA Hal Murray
- Re: [Cfrg] 1024 bit RSA Ilari Liusvaara
- Re: [Cfrg] 1024 bit RSA Peter Gutmann
- Re: [Cfrg] 1024 bit RSA Erik Andersen
- Re: [Cfrg] 1024 bit RSA John Mattsson
- Re: [Cfrg] 1024 bit RSA Hanno Böck
- Re: [Cfrg] 1024 bit RSA Erik Andersen
- Re: [Cfrg] 1024 bit RSA Peter Gutmann