Hacker News new | past | comments | ask | show | jobs | submit login

In much the same sense that HMAC-MD5 is "secure". They deprecated all the lower-bit-strength SHA hash constructions.

The 2048 deprecation in 2030 seems to be about quantum resistance, not about a move to 4096 bit RSA.




> The 2048 deprecation in 2030 seems to be about quantum resistance, not about a move to 4096 bit RSA.

From [0], where the 112-bit 'security strength' of 2048-bit RSA is ultimately pulled from:

"The comparable security strengths provided below are based on accepted estimates as of the publication of this Recommendation using currently known methods. Advances in factoring algorithms, general discrete-logarithm attacks, elliptic-curve discrete-logarithm attacks, and other algorithmic advances as well as quantum computing may affect these equivalencies in the future. New or improved attacks or technologies may be developed that leave some of the current algorithms completely insecure."

Their recommendation is to switch to 3072-bit RSA or higher by 2031, since that has a 128-bit 'security strength' by their formula. So I don't think this has much to do with quantum resistance: as GP says, no reasonable RSA key size will help much with that.

[0] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S..., section 5.6.1


I'm citing (paraphrasing) this more recent document, page 4, line 238. Let me know if I've got it wrong.


Line 244:

>Currently, a 112-bit security strength for the classical digital signature and key-establishment algorithms does not appear to be in imminent danger of becoming insecure in the near future, so this approach should allow an orderly transition to quantum-resistant algorithms without unnecessary effort for the cryptographic community.

I get from this that NIST thinks the quantum threat is significantly greater than the threat from advances in classical computing hardware or algorithms. So we are to not to bother with transitioning from 112 bit to 128 bit equivalent strength and to concentrate on post quantum stuff. As a result stuff like 2048 bit RSA is now allowed at the "deprecated" level where it was previously "disallowed" after 2030.

It seems that both the quantum and classical threats both currently depend on a fundamental breakthrough so I am not sure how legitimate this policy is. It is reminiscent of the NSA suggestion to not bother transitioning to elliptic curve based methods and skip directly to post quantum methods.


Deprecating RSA-2048 for other reasons doesn't make much sense. Whatever is going to break RSA-2048 is likely to break all of RSA. The story we're commenting on is pretty clear that the motivation here is to streamline the logistics of moving to PQ cryptography.

Credible new systems aren't going to be developed with RSA, regardless.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: