[neandrake]

I’m not an expert but I think RSA is discouraged these days because it’s strength is dependent on the key size which is regularly outdated as computers get faster/parallelize. Ten years ago a 512bit key was considered secure but these days I think 4096 is the recommended minimum length for a keypair that’s considered secure. Because of this it requires cycling through keys every now and again which can be tedious and even painful if you build PKI using it. The latter happened with a project I worked on where we’ve had to cycle our users keys for an application a few times now, I think jumping from 512 to 2048 and recently to 4096. This is even more tedious in a zero-knowledge system where the keys can only be unlocked with user authentication but deadlines for updating exist..

I’m not positive but I don’t think Elliptic Curves have the same issue, or key lengths have longer predicted life spans.

[upofadown]

As far as I have been able to figure, 2048 bit RSA is good for the ages. It would take some fundamental breakthrough like quantum computing to break. No conceivable incremental improvement in current computing technology will come close to touching it.

[zinekeller]

> 2048 bit RSA is good for the ages

Estimates shows that state-level factorisation will be readily possible by 2030, and academic-size factorisation by five to ten years after that (this is just using classical computers).

[upofadown]

State level factorization is probably somewhere in the 1024 bit RSA range with a Manhattan Project level of effort. The extra difficulty when going to 2048 bits is around a billion (1E9). So that would mean that the estimate assumes that we are going to be able to increase our computing capability by a factor of a billion in ten years. That seems very unlikely to me.

Mooore's law has the number of transistors doubling every 2 years (not for sure faster transistors, just transistors). So for 10 years we get 2^5=32. That seems well short of a billion and it is generally accepted that current technology is going to run into fundamental physical limits fairly soon.

Ignoring physical limits, if Moore's law holds it works out to 60 years for state level attacks on 2048 bit RSA.

[zinekeller]

> State level factorization is probably somewhere in the 1024 bit RSA range with a Manhattan Project level of effort. The extra difficulty when going to 2048 bits is around a billion (1E9). So that would mean that the estimate assumes that we are going to be able to increase our computing capability by a factor of a billion in ten years. That seems very unlikely to me.

I mean, Moore's law is hanging but that doesn't mean that they can just, you know, expand their computer footprint? To be precise, NSA (or is it NRO?) is preparing for a warehouse-size supercomputer and it is conceivable that other countries are bucking up with this.

Plus, after the "let's rely on Moore's law" tactic, chip design has another boost of investment, and it's paying off. IPCs, despite the clocks hovering around 5GHZ, is increasing and specialised chips and immersion and/or sub-zero cooling can boost this further. It's rather exciting after the relative stagnation last decade.

[upofadown]

>doesn't mean that they can just, you know, expand their computer footprint?

A billion times? Would there be enough money in the world to pay for it? Enough resources?