Asymmetric Key sizes

Simpson, Sam s.simpson at mia.co.uk
Wed, 10 Feb 1999 17:20:00 +0000 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We know that 512-bit keys have been insecure for some time now [Sch96a],
[Odl95], [Rob95]; a well-funded adversary could certainly break these
size keys (even if it does take a month or two). In reality, an
adversary wouldn't even need to be well funded - they would just need
access to a large network of computers. The adversary could thus be a
computer manufacturer, a large corporation (using idle time on
computers) or a co-ordinated effort. If doubt exists about the ability
to factor a 512-bit key one only has to see that a 465-bit key was
broken with just 2000 MIPS-years of effort [Paa99].


[Odl95] A.M.Odlyzko, "The Future of Integer Factorization", RSA
CryptoBytes, Volume 1, Number 2, Summer 1995. 
 
[Paa99] C.Paar, message beginning "The next RSA challenge, RSA140...",
as distributed on cryptography@c2.net mailing list, 4th Feb 1999. 

[Rob95] M.J.B.Robshaw, "Security Estimates for 512-bit RSA", RSA Labs,
June 29. 
 
[Sch96a] B.Schneier, "Applied Cryptography, Second Edition", Wiley,
1996. 


Using any less than an absolute minimum of 768-bits for data which needs
even medium term protection seems imprudent.


Hope this helps,

Sam Simpson
Comms Analyst
- -- http://www.hertreg.ac.uk/ss/ for ScramDisk hard-drive encryption &
Delphi Crypto Components.  PGP Keys available at the same site.


> -----Original Message-----
> From: Parker Tom TA [mailto:Tom.A.Parker@icl.com]
> Sent: Wednesday, February 10, 1999 3:02 PM
> To: 'ukcrypto@maillist.ox.ac.uk'
> Subject: Asymmetric Key sizes
> 
> 
> Although a lot is being said about the shrinking level of 
> security offered
> by various symmetric key sizes, with 56 bits coming in for a 
> lot of stick,
> haven't seen anything lately on asymmetric attacks. Has anyone any
> information on the latest successful attack position on 
> asymmetric keys, RSA
> in particular? How secure is 512 bits considered now, and 
> why? What's the
> current recommended key size? Has anything been published 
> that is later than
> the now rather old (January 1996) "Report by the Ad Hoc Group of
> Cryptographers and Computer Scientists"?
> 
> Thanks in advance,
> 
> Tom Parker
> tom.a.parker@icl.com
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBNsG/z+0ty8FDP9tPEQJQgQCg6sgjXUI9FRsp8Z+2CldsRv1gJRIAoNg+
mf3aq0BXhGthwuQ9FXlFEMTH
=zQIA
-----END PGP SIGNATURE-----