To get 128-bit security for RSA, the modulus should be 4096 bits. How was that determined?

Asked Feb 08 '19 at 09:03

Active Feb 08 '19 at 09:03

Viewed 112 times

My understanding of security level is that for a crypto scheme to have n-bit security means it would take $2^n$ operations to break it.

For something like AES with a 128-bit key, it's straight-forward to see why it has 128-bit security.

What I don't understand is how 4096-bit RSA is estimated to have 128-bit security. How was that estimation determined?

asked Feb 08 '19 at 09:03

Bastien

@forest Does the estimation take current processing power into account? – Bastien Feb 08 '19 at 09:14
1

Processing power has nothing to do with it. 128 bits is 128 bits regardless of whether it's "enough". – forest Feb 08 '19 at 09:16

0 Answers0