[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Factoring - State of the Art and Predictions



Bruce Schneier gives us:

>         Table 4: Recommended public-key key lengths (in bits)
>
>         Year     vs. I             vs. C             vs. G
>         1995      768              1280              1536
>         2000     1024              1280              1536
>         2005     1280              1536              2048
>         2010     1280              1536              2048
>         2015     1536              2048              2048


I applaud Bruce for making this unpopular presentation of the somber facts.
If these figures are taken seriously, the conclusion is that 1024 bit keys
are not even good TODAY if one is concerned about the C or G level attack.
In fact, not even the 1280 bit key is good for G level attack today.

Pay attention, people.  Factoring is still a good cryptographic approach,
but the key lengths have to keep growing larger.  Factoring may be NP-hard
in the key length, but the rate of growth of our ability to factor is
actually going up exponentially as well.  The speed of encryption and
decryption for 2048 bit keys on my Pentium is quite reasonable today... and
my confidence in the long-term security of my encrypted files has increased
considerably with the advent of PGP 2.6.2, for just that reason.

Doug Cutrell

_____________________________________________________________
Doug Cutrell                    General Partner
[email protected]               Open Mind, Santa Cruz
=============================================================