Is it true that breaking a 1024-bit RSA key is as difficult as breaking a 128 bit symmetric key (e.g. AES)? I know that breaking a RSA key is equivalent to factoring the modulus $N$. To factor it, you have to see if any number between $2$ and $N/2$ divides $N$, right? But that would still be much greater than $2^{128}$ trials (which is the worst-case scenario for cracking a 128 bit AES key). Then, how is breaking a 128-bit AES key the same as a 1024-bit RSA key?
Asked
Active
Viewed 3,707 times
2 Answers
7
No. Breaking a 1024 bit RSA key is not as difficult as breaking a 128 bit symmetric key. The consensus is that it is considerably less difficult, perhaps more comparable to breaking a 80-bit symmetric key, which is $2^{48}$ times less difficult than breaking a 128-bit key; that's a lot less difficult (a hundred million million times less difficult).
The reason is that breaking a 1024 bit RSA key can be attempted using an integer factorization algorithm, without exhaustively trying divisors. For the state of the art, see this article on the current factorization record.
fgrieu
- 149,326
- 13
- 324
- 622
5
No, According to NIST, an RSA (or integer DSA, Elgamal, DH, etc.) key of 3072 bits is equivalent to 128 bits of symmetric key.
By their measure, 1024-bit public keys are considered to be equivalent to 80-bit symmetric keys. 2048-bit keys are equivalent to 112 bits symmetric.
One can debate the equivalence (and I do when I'm in a contrary mood), but it's a reasonable one.
Note that this means that you should have retired your 1024-bit key at the end of 2010, but if you hold your nose, you can keep it through 2013.
Jon
Jon Callas
- 2,371
- 15
- 15