On Mar 1 2010, Eric Rescorla wrote:
[...] If a key is breakable at cost C in M months, then it's breakable at cost Cx in M/x months.
This isn't true in general (although it may be sufficiently so in the cases under discussion). In particular, not all stages of NFS factorisation attempts are easily distributable to many small processors. The sieving stage is, but distributing the matrix reduction stage is much harder (and a hot research topic). Recommended background reading: http://eprint.iacr.org/2010/006.pdf
Even if you do think this is true, it would be far more effective to simply use fractionally larger RSA keys. My understanding is that the major obstacle to using (for instance) 1100-bit RSA keys is that NIST only accepts a small number of concrete key sizes for FIPS 140. If so, rather than specifying a short rollover time, perhaps NIST could address that.
Absolutely: the NIST only-powers-of-2 guidelines have had a malign influence in the DNSSEC context, where the size of the signature so greatly exceeds that of the data signed. -- Chris Thompson University of Cambridge Computing Service, Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, Phone: +44 1223 334715 United Kingdom. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
