On Wed, Jul 14, 2010 at 6:42 AM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 14-07-2010 07:52, Jeffrey Walton wrote: >> >> On Tue, Jul 13, 2010 at 3:04 PM, Jakob Bohm<jb-open...@wisemo.com> wrote: >>> >>> [SNIP] >> >>>>> proponents of the RSA and DH algorithms said that the >>>>> number was wildly exaggerated and proposed some much >>>>> smaller values. >>>> >>>> I'm not willing to go out on a limb a recommend a smaller moduli (what >>>> is RSA recommending, BTW?). I look at it this way: When DSS was >>>> proposed, RSA Data Securities lobbied hard to get an RSA Signature >>>> included. They can't win them all.... >>> >>> Yes, that mostly dead company lost the political lobbying battle against >>> Certicom, but I was asking about science, not politics. >> >> http://scholar.google.com/scholar?hl=en&q=integer+factorization+estimate&as_sdt=20000000&as_ylo=2008&as_vis=0 >> > After looking at some of the rather mixed bag of documents from that > search, I was able to spot only the following factoid, which I post here > for the benefit of the rest of the list (and I hope this one is right). > > The needed size of RSA moduli increases approximately with the cube > of the equivalent symmetric key size, thus if 128 bit AES corresponds > to L bit RSA, 256 bit AES should correspond to 8L bit RSA. > > I did not spot an article that seemed to give estimates for the > actual RSA key lengths corresponding to modern symmetric key lengths.
Make sure to have a look a Lenstra, et. al. "On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography". Not quite what you were asking for but a very thorough analysis. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
