<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">The RSA algorithm will work with keys of any length and longer is stronger.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">But less than 2048 is not acceptably secure by today's standards and the sad part is that going beyond 2048 bits doesn't improve it by very much.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Add one bit to the key size of a symmetric cipher like AES and you double the work factor. Go from 128 bits to 192 and your work factor increases by 2^64 times. That is really big.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Add one bit to an RSA key size and the result is barely noticeable. And the longer the keys get, the less effect extra bits have.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">2024 is considered equivalent to a 2^112 work factor</div><div class="gmail_default" style="font-size:small">3072 gets you to roughly 2^128</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">So 50% more bits, 10424 of them buys you a measly 2^16 improvement.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default"><span style="font-size:small">To get to a 2^256 bit work factor you need </span>15360 bits.</div><div class="gmail_default"><br></div><div class="gmail_default">Your computation times go up with the square of the number of bits and bignum libraries tend to be limited to 16K bits. There really isn't a good reason to go beyond 16K and a lot of stuff is going to break.</div><div class="gmail_default"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Dec 26, 2021 at 10:22 AM Grégory Widmer via openssl-users <<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Dear OpenSSL users,</p>
<p>I have a question about OpenSSL. Recently, I asked myself if
there was a maximum bit length for the modulus of a RSA key.</p>
<p>I tried to type :</p>
<p><font face="monospace">user@host:~$ openssl genrsa 32768<br>
Warning: It is not recommended to use more than 16384 bit for
RSA keys.<br>
Your key size is 32768! Larger key size may behave not
as expected.<br>
Generating RSA private key, 32768 bit long modulus (2 primes)</font></p>
<p>I got this warning, and I wonder why a larger key size may behave
not as expected.</p>
<p>Could anyone explain or give resources on why this doesn't work ?</p>
<p>My guess is that, having the following : (M = message, C =
Ciphered)<br>
</p>
<p><img src="cid:17df9ed3b88e3eaa8d21" alt=""></p>
<p>If M^e is < n, we could easily compute the original message ?</p>
<p>Also, I want to apologize if my question is redundant, I tried to
search on GitHub and through the mailing list, but there is no
search feature in the mailing list.</p>
<p>Have a nice day !</p>
<p>Grégory Widmer</p>
<p><br>
</p>
<p>PS : This question is for knowledge purpose only, I don't use RSA
keys anymore (except with GPG), I prefer ECC :)<br>
</p>
</div>
</blockquote></div></div></div>