26

According to this primer on elliptic curves by Ars Technica, when composite numbers get "too" big, they become easier to factorize with Quadratic Sieve and General Number Field Sieve.

While this is not explained in detail on the site, it is a common understanding that RSA encryption is in a squeeze trap where the RSA modulus is getting larger and larger as factorizing algorithms and equipment get more and more capable, at the same time getting closer to some sort of ceiling where, apparently the resulting security of the modulus drops.

Please enlighten me: Why is it not possible to increase the size of RSA keys indefinitely?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
fast-reflexes
  • 371
  • 3
  • 5

2 Answers2

43

I've never heard that RSA becomes less secure when the modulus grows. Obviously the strength doesn't grow as fast as the number of bits, but that only means that it grows sub-exponentially.

If it keeps growing (without the growth going near zero) then there is no "trap". Check for instance here where the conclusion is that there is no exponential growth but super-polynomial growth of the time complexity (i.e. strength).

If you take a careful look at the article in Ars Technica then you'll see that the author mainly claims that the growth of the key size is not sustainable for low powered devices. ECC is certainly beneficial in those situations.

The statement "The gap between the difficulty of factoring large numbers and multiplying large numbers is shrinking as the number (ed: the key size) gets larger" is however false as fgrieu correctly identifies. It just doesn't grow as fast as you may at first assume. The key strength cannot be calculated the same way as with keys for symmetric algorithms.

Community
  • 1
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
26

I don't understand at all what this claim is on the website. The claim that RSA becomes very expensive for large $N$ is true, but to say that the gap between encryption/decryption cost and factoring goes down makes no sense at all! The function describing the running time of the best factoring algorithms is clearly asymptotically larger than $n^3$ (the time to decrypt RSA). Thus, as the key size $n$ gets larger, the gap only increases.

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86