3

I was checking for authoritative sources to back up my recommendation of a minimum RSA key length of 1024 and was shocked to find that NIST 800-56Br1 and FIPS 186-4 both recommend at least 2048 bits with 3072 bits for TOP SECRET data. I found that other sources have similarly high recommendations based on expected lifetime of the key.

These recommendations seem excessive in light of what I can find about attacks against RSA encryption. As far as I can find, the most recent attempt to factor RSA numbers was the successful factoring of the 756 bit RSA number. That was in 2009 and required, roughly, two years of effort with 100 computers and a team of mathematicians. Those researchers noted that their methods would not scale to significantly larger RSA numbers, so other [and unknown] methods would need to be developed.

Given that each additional bit doubles the number of values, 1024 bits would have $2^{256}$ times as many possible values. Even given very sparse utilization of that immense field, the effort required to attack a 1024 bit RSA key appears very far outside the reach of current capabilities.

Have I missed some more recent attacks? I note that some of the recommendations I have found predate the 2009 paper. Why would cryptanalysts believe that 1024 bit RSA keys would be insufficient when no one had even attacked the 756 bit key, which is vastly easier than 1024?

Can anyone point me to cryptanalytic work that demonstrates the risk to 1024 bit RSA?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
JaimeCastells
  • 131
  • 4

2 Answers2

6

RSA, and to a somewhat similar extent Diffie-Hellman, bases its security on the difficulty of factoring large numbers into primes. While a scheme like AES can use all 2n numbers, in order to break RSA, you need to guess prime numbers.

As there are far fewer prime numbers and the factors can be better guessed, we need far larger prime numbers than other schemes like AES. So each additional bit doesn't double the difficulty of brute forcing it. If you want to venture into the math, you can check out the Wikipedia page on RSA.

While no one (we know of) has managed to break 1024, it is always important to stay ahead of the curve. And since brute force isn't exactly 2256 times more difficult,we pick higher primes. Who knows what future improvements in mathematics could break 1024-bit keys.

Azarinak
  • 341
  • 1
  • 6
-1

With number field sieve and quadratic field sieve, it is easy now to break RSA keys less than 1024 bit and more so the concepts of quantum cryptography will break all myths of unbreakable security. So graduating to higer bit security is obvious choice. ECDH and EC RSA still give some respite in present times.

Garry
  • 1
  • 1