Unformatted text preview: this trend won’t continue. A related algorithm, the special number field sieve, can already factor numbers of a certain specialized form—numbers not generally used for cryptography—much faster than the general number field sieve can factor general numbers of the same size. It is not unreasonable to assume that the general number field sieve can be optimized to run this fast [1190]; it is possible that the NSA already knows how to do this. Table 7.5 gives the number of mipsyears required for the special number field sieve to factor numbers of different lengths [1190]. At a European Institute for System Security workshop in 1991, the participants agreed that a 1024bit modulus should be sufficient for longterm secrets through 2002 [150]. However, they warned: “Although the participants of this workshop feel best qualified in their respective areas, this statement [with respect to lasting security] should be taken with caution.” This is good advice. The wise cryptographer is ultraconservative when choosing publickey key lengths. To determine how long a key you need requires you to look at both the intended security and lifetime of the key, and the current stateoftheart of factoring. Today you need a 1024bit number to get the level of security you got from a 512bit number in the early 1980s. If you want your keys to remain secure for 20 years, 1024 bits is likely too short. Even if your particular secrets aren’t worth the effort required to factor your modulus, you may be at risk. Imagine an automatic banking system that uses RSA for security. Mallory can stand up in court and say: “Did you read in the newspaper in 1994 that RSA129 was broken, and that 512bit numbers can be factored by any organization willing to spend a few million dollars and wait a few months? My bank uses 512bit numbers for security and, by the way, I didn’t make these seven withdrawals.” Even if Mallory is lying, the judge will probably put the onus on the bank to prove it. Table 7.4 Factoring Using the General Number Field Sieve # of bits 512...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details