[ksk-change] On the topic of 1024-bit ZSKs

Michael StJohns msj at nthpermutation.com
Mon Oct 20 20:32:53 UTC 2014

On 10/20/2014 3:50 PM, David Conrad wrote:
> Unrelated to KSK change, but as we discussed it in the workshop...
> https://kivo.com/p/h985rFcI, slides 37-39
> Dr. Bernstein notes (page 38): "Analyses in 2003 concluded that RSA-1024 was breakable; e.g., 2003 Shamir-Tromer estimated 1 year, ≈ USD $10^7"

The paper he references is here 

Hmm... one of the interesting things here is that the author estimates 
surface area of the equivalent silicon ASICs necessary for a given rate 
of breaking.  Given changes in processes (e.g. substantially more 
density for about the same prices per wafer) since 2003, I'm wondering 
if you can't get a 10 fold improvement for the same price?   E.g. call 
it 36 days to break a 1024bit key using 2014 ASIC technology and a $1m 
investment? http://en.wikipedia.org/wiki/32_nanometer  has an 
interesting table.  2003 would have had 130 nm technology - 2014 is 
running about 14nm.

> I'm a bit disappointed at the lack of caveats in Dr. Bernstein's slides.
> Regards,
> -drc
> P.S. Also perhaps of note (although not directly related to key change), the last bit of slide 47 and slides 50-53.
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141020/ccb052f5/attachment.html>

More information about the ksk-rollover mailing list