On Thu, Jan 21, 2010 at 2:24 PM, Paul Wouters <p...@xelerance.com> wrote: > On Thu, 21 Jan 2010, Edward Lewis wrote: > >> What I'd like to hear is: >> >> "Crypto-expert __________ says an RSA-SHA256 key of 1024 bits is good for >> _______ signatures/days." > > I did ask my local Waterloo based cryptographer (Ian Goldberg) this > question about a year ago for RSA-SHA1. And apart from his advise to use > RSASSA-PSS and not PKCS1-v1_5, he thought a year would be extremely safe. > I just asked another Toronto based cryptographer, Kelly Rose, the same > question, and he said he would not trust it for more then two years. > > Also, consider this paper from July 2009: > > https://documents.epfl.ch/users/l/le/lenstra/public/papers/ecdl.pdf > > Next considering special purpose hardware, the most optimistic > approach suggests that sieving for a 1024-bit RSA modulus can be > done in a year for about US $10,000,000, plus a one-time development > cost of about US $20,000,000,
And if your attacker has a budget of $1,000,000? Or $100,000,000? The point is that the numbers depend on your model of the attacker more than on the cryptography. -Ekr _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
