Larger RSA keys (Modulus bits > 16384)

Phillip Hallam-Baker phill at hallambaker.com
Mon Dec 27 03:39:48 UTC 2021


The RSA algorithm will work with keys of any length and longer is stronger.

But less than 2048 is not acceptably secure by today's standards and the
sad part is that going beyond 2048 bits doesn't improve it by very much.

Add one bit to the key size of a symmetric cipher like AES and you double
the work factor. Go from 128 bits to 192 and your work factor increases by
2^64 times. That is really big.

Add one bit to an RSA key size and the result is barely noticeable. And the
longer the keys get, the less effect extra bits have.

2024 is considered equivalent to a 2^112 work factor
3072 gets you to roughly 2^128

So 50% more bits, 10424 of them buys you a measly 2^16 improvement.

To get to a 2^256 bit work factor you need 15360 bits.

Your computation times go up with the square of the number of bits and
bignum libraries tend to be limited to 16K bits. There really isn't a good
reason to go beyond 16K and a lot of stuff is going to break.


On Sun, Dec 26, 2021 at 10:22 AM Grégory Widmer via openssl-users <
openssl-users at openssl.org> wrote:

> Dear OpenSSL users,
>
> I have a question about OpenSSL. Recently, I asked myself if there was a
> maximum bit length for the modulus of a RSA key.
>
> I tried to type :
>
> user at host:~$ openssl genrsa 32768
> Warning: It is not recommended to use more than 16384 bit for RSA keys.
>          Your key size is 32768! Larger key size may behave not as
> expected.
> Generating RSA private key, 32768 bit long modulus (2 primes)
>
> I got this warning, and I wonder why a larger key size may behave not as
> expected.
>
> Could anyone explain or give resources on why this doesn't work ?
>
> My guess is that, having the following : (M = message, C = Ciphered)
>
> If M^e is < n, we could easily compute the original message ?
>
> Also, I want to apologize if my question is redundant, I tried to search
> on GitHub and through the mailing list, but there is no search feature in
> the mailing list.
>
> Have a nice day !
>
> Grégory Widmer
>
>
> PS : This question is for knowledge purpose only, I don't use RSA keys
> anymore (except with GPG), I prefer ECC :)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211226/7f57cebe/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mppblpkdbekgaece.png
Type: image/png
Size: 5312 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211226/7f57cebe/attachment-0001.png>


More information about the openssl-users mailing list