| > At one point much of the world was using 128bit rsa keys When? I was writing crypto libraries in the early 90s to support RSA, DSA and ElGamal at my company (this predates the times when good open source crypto libraries were broadly available). Even back then 128 bit RSA keys were not used. The smallest the library supported was 512 and the smallest we ever used in production was 768 bits. That's how far back my own memory goes. But here's a paper from Arjen Lenstra from 2001 which has a table showing computationally equivalent key sizes back to 1982. https://infoscience.epfl.ch/server/api/core/bitstreams/c323a... In 1982, security comparable (at the time!) to DES would have been 417 bit RSA keys. So even in 1982, using 128 bit RSA keys made no sense! > You’ll be scrambling to once more bump up the key size and you’ll be auditing all the potential data leaked. If you've had to do this for RSA keys (more than once, even!) I respectfully suggest you need to be a lot more conservative picking key lengths. There has never been a sudden breakthrough in factorization that has rendered conservatively chosen RSA key lengths obsolete overnight. |