| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| em:20482030 [2023/12/09 16:58] – [Symmetric encryption] typo b.walzer | em:20482030 [2024/11/22 23:01] (current) – [2048 Bit RSA and the Year 2030] NIST speaks, typo b.walzer |
|---|
| ======2048 Bit RSA and the Year 2030====== | ======2048 Bit RSA and the Year 2030====== |
| |
| In the course of some recent work I developed the impression that 2048 RSA was quite secure. Canada(([[https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111|Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111]])) (my country of residence) and others | //Update: NIST released a draft that modified their recommendations (Oct 2024)(([[https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd|Transitioning the Use of Cryptographic Algorithms and Key Lengths, Rev 3]])). RSA 2048 is to be only considered "deprecated" after 2030. The draft states:// |
| | |
| | >//Currently, a 112-bit security strength for the classical digital signature and key-establishment algorithms does not appear to be in imminent danger of becoming insecure in the near future, so this approach should allow an orderly transition to quantum-resistant algorithms without unnecessary effort for the cryptographic community.// |
| | |
| | //Generally the idea seems to be that there would be no point in increasing key sizes in light of the quantum threat. Quantum computing seems to me to represent even less danger than the ideas discussed in this article but I will leave actual discussion of this very controversial topic to others.// |
| | |
| | In the course of some recent work I developed the impression that 2048 bit RSA was quite secure. Canada(([[https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111|Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111]])) (my country of residence) and others |
| (([[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf|Recommendation for Key Management]] (USA), [[https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdf|Règles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques]] (France) )) are currently strongly suggesting that 2048 bit RSA should be considered potentially insecure after the year 2030 and that the minimum length considered secure should be then be 3072 bits. That is only 7 years from now (2023). | (([[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf|Recommendation for Key Management]] (USA), [[https://www.ssi.gouv.fr/uploads/2021/03/anssi-guide-mecanismes_crypto-2.04.pdf|Règles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques]] (France) )) are currently strongly suggesting that 2048 bit RSA should be considered potentially insecure after the year 2030 and that the minimum length considered secure should be then be 3072 bits. That is only 7 years from now (2023). |
| |
| =====Where did the 2030 cutoff come from?===== | =====Where did the 2030 cutoff come from?===== |
| |
| I am reasonably certain that the ideas here came from an influential paper released in 2004 by Arjen K. Lenstra((https://infoscience.epfl.ch/record/164539/files/NPDF-32.pdf|Key Lengths: Contribution to The Handbook of Information Security)) that showed this year in a table. Here is a simplified version of the table: | I am reasonably certain that the ideas here came from an influential paper released in 2004 by Arjen K. Lenstra(([[https://infoscience.epfl.ch/record/164539/files/NPDF-32.pdf|Key Lengths: Contribution to The Handbook of Information Security]])) that showed this year in a table. Here is a simplified version of the table: |
| |
| ^ Modulus Bit Length ^ Conservative Year ^ Optimistic Year ^ | ^ Modulus Bit Length ^ Conservative Year ^ Optimistic Year ^ |
