| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| em:20482030 [2023/11/09 16:27] – [Where Are We Now?] Typo b.walzer | em:20482030 [2024/11/22 23:01] (current) – [2048 Bit RSA and the Year 2030] NIST speaks, typo b.walzer |
|---|
| ======2048 Bit RSA and the Year 2030====== | ======2048 Bit RSA and the Year 2030====== |
| |
| In the course of some recent work I developed the impression that 2048 RSA was quite secure. Canada(([[https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111|Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111]])) (my country of residence) and others | //Update: NIST released a draft that modified their recommendations (Oct 2024)(([[https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd|Transitioning the Use of Cryptographic Algorithms and Key Lengths, Rev 3]])). RSA 2048 is to be only considered "deprecated" after 2030. The draft states:// |
| | |
| | >//Currently, a 112-bit security strength for the classical digital signature and key-establishment algorithms does not appear to be in imminent danger of becoming insecure in the near future, so this approach should allow an orderly transition to quantum-resistant algorithms without unnecessary effort for the cryptographic community.// |
| | |
| | //Generally the idea seems to be that there would be no point in increasing key sizes in light of the quantum threat. Quantum computing seems to me to represent even less danger than the ideas discussed in this article but I will leave actual discussion of this very controversial topic to others.// |
| | |
| | In the course of some recent work I developed the impression that 2048 bit RSA was quite secure. Canada(([[https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111|Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111]])) (my country of residence) and others |
| (([[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf|Recommendation for Key Management]] (USA), [[https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdf|Règles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques]] (France) )) are currently strongly suggesting that 2048 bit RSA should be considered potentially insecure after the year 2030 and that the minimum length considered secure should be then be 3072 bits. That is only 7 years from now (2023). | (([[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf|Recommendation for Key Management]] (USA), [[https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdf|Règles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques]] (France) )) are currently strongly suggesting that 2048 bit RSA should be considered potentially insecure after the year 2030 and that the minimum length considered secure should be then be 3072 bits. That is only 7 years from now (2023). |
| |
| =====Where did the 2030 cutoff come from?===== | =====Where did the 2030 cutoff come from?===== |
| |
| I am reasonably certain that the ideas here came from an influential paper released in 2004 by Arjen K. Lenstra((https://infoscience.epfl.ch/record/164539/files/NPDF-32.pdf|Key Lengths: Contribution to The Handbook of Information Security)) that showed this year in a table. Here is a simplified version of the table: | I am reasonably certain that the ideas here came from an influential paper released in 2004 by Arjen K. Lenstra(([[https://infoscience.epfl.ch/record/164539/files/NPDF-32.pdf|Key Lengths: Contribution to The Handbook of Information Security]])) that showed this year in a table. Here is a simplified version of the table: |
| |
| ^ Modulus Bit Length ^ Conservative Year ^ Optimistic Year ^ | ^ Modulus Bit Length ^ Conservative Year ^ Optimistic Year ^ |
| Some examples of symmetric encryption schemes are: [[wp>Advanced_Encryption_Standard|AES]], [[wp>Salsa20#ChaCha_variant|ChaCha20]] and [[wp>Camellia_(cipher)|Camellia]]. | Some examples of symmetric encryption schemes are: [[wp>Advanced_Encryption_Standard|AES]], [[wp>Salsa20#ChaCha_variant|ChaCha20]] and [[wp>Camellia_(cipher)|Camellia]]. |
| |
| One extra key bit doubles the difficulty here. That's 128-112=16 difficulty doublings over the 11 year period. So an implicit assumption that the capability available for breaking elliptic curves will double every 11*12/16=8.25 months. That's a bit faster than the 9 month double exponential assumption that in turn comes from the assumption that available processing power and algorithmic capability are each doubling every 18 months. We know that that is not true for processing power. | One extra key bit doubles the difficulty here. That's 128-112=16 difficulty doublings over the 11 year period. So an implicit assumption that the capability available for breaking symmetric encryption will double every 11*12/16=8.25 months. That's a bit faster than the 9 month double exponential assumption that in turn comes from the assumption that available processing power and algorithmic capability are each doubling every 18 months. We know that that is not true for processing power. |
| |
| The idea that the algorithmic capability against symmetric encryption might be doubling every 18 months is fairly surprising. A regular increase here is not something that is normally assumed. Perhaps there was some sort of "debt" with respect to key length that we are making up for in this time period. It might be good to apply the Bitcoin thought experiment as previously seen in this article as a sort of sanity check. | The idea that the algorithmic capability against symmetric encryption might be doubling every 18 months is fairly surprising. A regular increase here is not something that is normally assumed. Perhaps there was some sort of "debt" with respect to key length that we are making up for in this time period. It might be good to apply the Bitcoin thought experiment as previously seen in this article as a sort of sanity check. |
