2048 Bit RSA and the Year 2030

We can expect a quantum computer with 20 million noisy qubits to break RSA 2048 [1]<p>I can&#x27;t speak to coherence time or circuit depth concerns, but qubit counts are doubling roughly every year. Current chips have thousands of qubits, so the exponential scaling implies we&#x27;d have 20 million qubits by 2035-2040.<p>edit: And from the paper, the required quantum volume (&quot;megaqubitdays&quot;) scales bewteen O(n^3) and O(n^4) with RSA key length. So a few years after breaking RSA 2048, you&#x27;d have a computer five times larger that could break RSA 3072.<p>[1] <a href="https:&#x2F;&#x2F;quantum-journal.org&#x2F;papers&#x2F;q-2021-04-15-433&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;quantum-journal.org&#x2F;papers&#x2F;q-2021-04-15-433&#x2F;</a>

Unless you&#x27;re worried about storing and&#x2F;or transmitting a huge amount of keys (in the order of &quot;at least 100&#x2F;second&quot;) and&#x2F;or using one key &quot;at least 100 times&#x2F;second&quot;, why not just go for 4096 by default?

Server appears to be hugged, web archive link:<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20230710195916&#x2F;https:&#x2F;&#x2F;articles.59.ca&#x2F;doku.php?id=em:20482030" rel="nofollow noreferrer">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20230710195916&#x2F;https:&#x2F;&#x2F;articles....</a>

I think the point is as computers get faster there is less trade off in having longer bit lengths, rather than focusing on the potential to crack sad keys.<p>That is, if it costs very little to have larger keys, why not have larger keys?<p>It is essentially hedging your bets as even if quantum computing key factorisation works, key lengths will still have an impact on the difficulty of factorisation, and it may make a difference in terms of practicality.

I’m not a cryptographer, but I can see many more pressing reasons for migrating off RSA before 2030. Is there any reason to pick RSA for greenfield today?<p>RSA, to my knowledge, is vulnerable to side channels and poor parameter choices. Implementation simplicity is an underrated security parameter. The fewer feet you have, the fewer of them you can shoot.<p>The NSA data centers don’t want to waste time on your RSA key anyway, much less your run-of-the-mill Russian black hat groups. What bites us in practice are 0-days of something stupid like heartbleed or rowhammer that can be automated, and takes a long time to patch.

No concern about &quot;store now, decrypt later&quot;?<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Harvest_now,_decrypt_later" rel="nofollow noreferrer">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Harvest_now,_decrypt_later</a>

I find it amusing that the table published a conservative cutoff year and an optimistic cutoff year. Based on the trends I&#x27;ve seen, most non-critical software would probably have made the switch in time for the conservative year, whereas anything security-critical like a bank would probably use the optimistic year.

For Symmetric encryption, it says: &#x27;Current key size: 112 bits&#x27;<p>However the 3 linked examples, AES, ChaCha20 and Camellia all use a key size of at least 128 bits, with 192 or 256 bits also listed as options.<p>What does this current NIST key size recommendation (effective as of 2019) of 112 mean then? Does anyone use this size?

One of the other problems about RSA cracking progress is that not a lot of people care anymore.<p>RSA is so slow that a <i>lot</i> of people have switched to Elliptic Curve.<p>That&#x27;s going to dent progress as the smart people are all working on ECC instead of RSA.

I use gpg plus kyber (quantum resistant). RSA may break, and kyber might suck. But I&#x27;m hoping not both.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;ThomasHabets&#x2F;kybertest">https:&#x2F;&#x2F;github.com&#x2F;ThomasHabets&#x2F;kybertest</a>

Recommendations from various organizations can be found at:<p>* <a href="https:&#x2F;&#x2F;www.keylength.com" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.keylength.com</a><p>Anything recent (≥2016) seems to say 3072 for RSA.

One thing this paper ignores is side channel attacks. Those may involve hardware or software vulnerabilities, or they may be inherent to the process itself.<p>So the real bogeyman is not whether we have figured out how to factor large numbers yet (aside from Shor and the as of now mythical quantum computer), but how much information you might leak by using your key.<p>One (generally) overlooked idea might be, some sort of vulnerability between they key and the data being used. E.g., by multiplying many, many smaller numbers with the private key, is it possible to increase the efficiency of the sieve.<p>Then it might be the case that commonly used keys are more vulnerable and keys used less are less vulnerable.<p>Another idea would be a rainbow table of keys. It might not matter so much that you can arbitrarily factor a large number, if generating keys is fast. Especially when you mount attacks on the random number generators involved, you can reduce the search spaces.<p>Forcing the key itself is not so much the concern, this doesn&#x27;t make me think &quot;oh we are fine&quot;.<p>Historically we only have to look back to e.g. Heartbleed to be reminded that we broke ssl not by factoring primes, but by exploiting the many flaws in the protocol itself.

This ignores potential current unpublished advances by entities like NSA and potential unforeseen future algorithmic and computing power advances. Logically speaking, larger keys could help and are unlikely to hurt with both. Even if larger key still ends up breakable, adversaries may still go for low hanging fruit.<p>Other than that, it depends on secrecy timeline and cost&#x2F;performance sensitivity. An average credit card transaction is unlikely to be targeted by NSA or archived in hopes of cracking it 30 years later, and on the other hand volume is very high and latency is important. So use whatever is thought to not be breakable now and upgrade keys if and when technology progresses. On the other hand, list of American spies in Russia would not take more than a few minutes to decrypt even with enormous key sizes and on the other hand disclosure could cause real damage even decades later. Might as well overshoot even if there is no known reason as of yet.

&gt; The assumptions that the 2030 date for increasing RSA key length were based on turned out to be invalid. A check of current capability confirms this. There seems to be no rational reason to increase RSA key sizes past 2048 starting in the year 2030. We don&#x27;t have any reason to increase RSA key sizes at any time based on our current understanding.<p>Great to know my porn collection will be safe with 2048 bit RSA. :)

My MITM proxy that sits on the LAN and acts as a filtering gateway to the Internet still uses a 1kbit RSA key, only because it&#x27;s the smallest size my devices will accept. It&#x27;s somewhat amusing that, despite widespread &quot;knowledge&quot; that 1024-bit RSA is &quot;insecure&quot;, this is still roughly 2^100 times more difficult to factor than the current latest record of 829 bits.

I realize I&#x27;m rather far out of my depth here, but when discussing asymmetric encryption, doesn&#x27;t this typically imply the discussion is about authentication?<p>Is there a way to derive the ephemeral keys? My understanding is that these are not directly shared, but it&#x27;s exactly where I am weakest on the basic concepts of the handshake and related stuffs.

That AI will accelerate algorithmic improvements is a new factor that has not previously been taken into account. This may be too optimistic.

Is there a quantum algorithm for cracking ECDSA like Shor&#x27;s for RSA? I was hoping they&#x27;d mention it in the article.

Quote: &quot;There seems to be no rational reason to increase RSA key sizes past 2048 starting in the year 2030. We don&#x27;t have any reason to increase RSA key sizes at any time based on our current understanding.&quot;<p>Yeahhhh, nice try NSA. If they say this, I&#x27;d say go to 8192 right now.

Is factoring something that GPU &#x2F;CUDA parallelism helps with?