[ksk-change] On the topic of 1024-bit ZSKs

Paul Hoffman paul.hoffman at vpnc.org
Mon Oct 20 20:31:06 UTC 2014

Estimates from the early 2000s about the difficulty of breaking 1024 bit RSA are highly suspect *in both directions*. Note that I say that as the co-author of the current BCP on the topic, which was published in 2004 (RFC 3766).

We didn't have enough good data points of the work effort (and we still don't).

TWIRL had just been published. It is *very* likely that some improvements to TWIRL have been made in private since that time, and those improvements might apply to 2048-bit keys as well.

It is highly likely that state actors and well-funded criminal enterprises (make your own cynical joke here) have done a lot of mathematical research on breaking RSA in the past decade. $10M buys you a lot of otherwise-unemployable mathematicians who understand number theory. If someone wants to break RSA keys, it is clear that spending $10M or $100M on post-TWIRL research could have an ROI much greater than 1. Or, TWIRL might be the best that an attacker can get.

The difference between RSA and ECwhatever is that we know that we don't know how much better the attacks on RSA have gotten in the past decade, whereas we know that the attacks on ECwhatever have not improved even one bit in 25 years.

--Paul Hoffman

More information about the ksk-rollover mailing list