25

According to this primer on elliptic curves by Ars Technica, when composite numbers get "too" big, they become easier to factorize with Quadratic Sieve and General Number Field Sieve.

While this is not explained in detail on the site, it is a common understanding that RSA encryption is in a squeeze trap where the RSA modulus is getting larger and larger as factorizing algorithms and equipment get more and more capable, at the same time getting closer to some sort of ceiling where, apparently the resulting security of the modulus drops.

Please enlighten me: Why is it not possible to increase the size of RSA keys indefinitely?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
fast-reflexes
  • 361
  • 3
  • 5

2 Answers2

43

I've never heard that RSA becomes less secure when the modulus grows. Obviously the strength doesn't grow as fast as the number of bits, but that only means that it grows sub-exponentially.

If it keeps growing (without the growth going near zero) then there is no "trap". Check for instance here where the conclusion is that there is no exponential growth but super-polynomial growth of the time complexity (i.e. strength).

If you take a careful look at the article in Ars Technica then you'll see that the author mainly claims that the growth of the key size is not sustainable for low powered devices. ECC is certainly beneficial in those situations.

The statement "The gap between the difficulty of factoring large numbers and multiplying large numbers is shrinking as the number (ed: the key size) gets larger" is however false as fgrieu correctly identifies. It just doesn't grow as fast as you may at first assume. The key strength cannot be calculated the same way as with keys for symmetric algorithms.

Community
  • 1
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Thanks! So the whole notion of RSA being less usable / secure than ECC in the future then bears no significance? (except for on low-power devices which benefit from the smaller key size in ECC) – fast-reflexes Dec 14 '16 at 02:01
  • 1
    Both are susceptible to quantum computing attacks, with RSA having a (very) slight advantage. The key size and speed of operation (try and create a 16Kbit key pair on your machine) may hamper even larger computers. Those kind of key sizes are hard to handle even on larger machines and not just on low power devices. – Maarten Bodewes Dec 14 '16 at 08:52
  • 1
    @fast-reflexes The performance degradation of RSA at higher security levels is severe. Nobody wants to have a webserver use a 15000 bit RSA key, but a 512 bit ECC key is very affordable. [But it's not like a security level of 256 bits is meaningful] – CodesInChaos Dec 14 '16 at 09:05
  • 2
    So for "fun" (in case your heater gave up): time openssl genrsa -f4 -out outkey 16384. Note that this searches for two 8192 bit primes, and searching for primes is non-deterministic (i.e. it may take a short time, it may also take very long). Of course the speed of decrypting or signing something is more of an issue on servers. – Maarten Bodewes Dec 14 '16 at 15:05
  • Thank you all! You have killed a myth that I have heard from time to time in different contexts! – fast-reflexes Dec 15 '16 at 13:43
26

I don't understand at all what this claim is on the website. The claim that RSA becomes very expensive for large $N$ is true, but to say that the gap between encryption/decryption cost and factoring goes down makes no sense at all! The function describing the running time of the best factoring algorithms is clearly asymptotically larger than $n^3$ (the time to decrypt RSA). Thus, as the key size $n$ gets larger, the gap only increases.

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83