[ksk-change] On the topic of 1024-bit ZSKs
Unrelated to KSK change, but as we discussed it in the workshop... https://kivo.com/p/h985rFcI, slides 37-39 Dr. Bernstein notes (page 38): "Analyses in 2003 concluded that RSA-1024 was breakable; e.g., 2003 Shamir-Tromer estimated 1 year, ≈ USD $10^7" I'm a bit disappointed at the lack of caveats in Dr. Bernstein's slides. Regards, -drc P.S. Also perhaps of note (although not directly related to key change), the last bit of slide 47 and slides 50-53.
Hi David, At 12:50 20-10-2014, David Conrad wrote:
Unrelated to KSK change, but as we discussed it in the workshop...
https://kivo.com/p/h985rFcI, slides 37-39
Dr. Bernstein notes (page 38): "Analyses in 2003 concluded that RSA-1024 was breakable; e.g., 2003 Shamir-Tromer estimated 1 year, USD $10^7"
I'm a bit disappointed at the lack of caveats in Dr. Bernstein's slides.
There was some discussion about the topic previously (see comment at https://www.ietf.org/mail-archive/web/dnsop/current/msg11541.html ). Regards, S. Moonesamy
Estimates from the early 2000s about the difficulty of breaking 1024 bit RSA are highly suspect *in both directions*. Note that I say that as the co-author of the current BCP on the topic, which was published in 2004 (RFC 3766). We didn't have enough good data points of the work effort (and we still don't). TWIRL had just been published. It is *very* likely that some improvements to TWIRL have been made in private since that time, and those improvements might apply to 2048-bit keys as well. It is highly likely that state actors and well-funded criminal enterprises (make your own cynical joke here) have done a lot of mathematical research on breaking RSA in the past decade. $10M buys you a lot of otherwise-unemployable mathematicians who understand number theory. If someone wants to break RSA keys, it is clear that spending $10M or $100M on post-TWIRL research could have an ROI much greater than 1. Or, TWIRL might be the best that an attacker can get. The difference between RSA and ECwhatever is that we know that we don't know how much better the attacks on RSA have gotten in the past decade, whereas we know that the attacks on ECwhatever have not improved even one bit in 25 years. --Paul Hoffman
On 10/20/2014 3:50 PM, David Conrad wrote:
Unrelated to KSK change, but as we discussed it in the workshop...
https://kivo.com/p/h985rFcI, slides 37-39
Dr. Bernstein notes (page 38): "Analyses in 2003 concluded that RSA-1024 was breakable; e.g., 2003 Shamir-Tromer estimated 1 year, ≈ USD $10^7"
The paper he references is here http://www.tau.ac.il/~tromer/papers/cbtwirl.pdf Hmm... one of the interesting things here is that the author estimates surface area of the equivalent silicon ASICs necessary for a given rate of breaking. Given changes in processes (e.g. substantially more density for about the same prices per wafer) since 2003, I'm wondering if you can't get a 10 fold improvement for the same price? E.g. call it 36 days to break a 1024bit key using 2014 ASIC technology and a $1m investment? http://en.wikipedia.org/wiki/32_nanometer has an interesting table. 2003 would have had 130 nm technology - 2014 is running about 14nm.
I'm a bit disappointed at the lack of caveats in Dr. Bernstein's slides.
Regards, -drc
P.S. Also perhaps of note (although not directly related to key change), the last bit of slide 47 and slides 50-53.
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
participants (4)
-
David Conrad -
Michael StJohns -
Paul Hoffman -
S Moonesamy