*BSD News Article 21325


Return to BSD News archive

Xref: sserve alt.security:10073 sci.crypt:16779 sci.math:47670 comp.unix.misc:9159 comp.unix.wizards:30861 alt.security.pgp:1432 comp.os.386bsd.misc:1079 comp.os.linux.misc:1814
Newsgroups: alt.security,sci.crypt,sci.math,comp.unix.misc,comp.unix.wizards,alt.security.pgp,comp.os.386bsd.misc,comp.os.linux.misc
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!elroy.jpl.nasa.gov!usc!howland.reston.ans.net!pipex!uknet!comlab.ox.ac.uk!pcl
From: pcl@ox.ac.uk (Paul C Leyland)
Subject: Re: RSA129 factoring attack -- participants needed
Message-ID: <PCL.93Sep22113238@rhodium.ox.ac.uk>
In-reply-to: fahn@chirality.rsa.com's message of 21 Sep 93 15:46:26
Organization: Oxford University Computing Services, 13 Banbury Rd Oxford OX2
	6NN
References: <explorer.748591928@tbird.cc.iastate.edu>
	<FAHN.93Sep21154626@chirality.rsa.com>
Date: 22 Sep 93 11:32:38
Lines: 40

In article <FAHN.93Sep21154626@chirality.rsa.com> fahn@chirality.rsa.com (Paul Fahn) writes:

   In article <explorer.748591928@tbird.cc.iastate.edu> explorer@iastate.edu (Michael Graff) writes:

   >   In 1977, a 129-digit integer appeared in the pages of Scientific American.
   >   This number, the RSA challenge modulus or RSA-129, has not yet been
   >   successfully factored.  Factoring it, a 425-bit number, would be a major
   >   milestone in cryptography, as it would show that current technology is able to
   >   break commonly-used RSA-cryptosystem keys within a reasonable time.

   This is not correct. Commonly-used RSA systems use key sizes significantly 
   larger than 425 bits. Common RSA key sizes range from 512 bits to 1024. 
   Factoring RSA-129 does not in any way jeopardize the security of widely 
   used versions of RSA. 

You are both correct.  It is very common to use RSA keys in the range
512 to 1024 bits.  However, PGP (for example) provides 384-bit keys as
an option and quite a few people have taken up this option.  Get hold of
the keyring from a public key server if you wish to check this claim.

I have been telling people to use at least 512-bit keys and they really
ought to be using much larger ones.  Nonetheless, running RSA on a small
computer, in the 8086 class, can be so slow that some people trade off
security for convenience.

We can estimate that factoring 512-bit numbers is somewhere between a
hundred and a thousand times more difficult than factoring 425-bit
numbers.  This increase in difficulty is sufficiently small that one
should be concerned about the security of 512-bit keys in the near
future.


Paul

--
Paul Leyland <pcl@oxford.ac.uk>          | Hanging on in quiet desperation is
Oxford University Computing Service      |     the English way.
13 Banbury Road, Oxford, OX2 6NN, UK     | The time is gone, the song is over.
Tel: +44-865-273200  Fax: +44-865-273275 | Thought I'd something more to say.
Finger pcl@black.ox.ac.uk for PGP key    |