Snake Oil Sales and Boiling The Ocean

In cybersecurity, snake oil salespeople are alive and well, and in areas of encryption there are probably more than any other area. I regularly get asked about when a company should upgrade from 2K RSA keys to 4K ones, as the company has been informed that 2K keys are insecure. My answer is that an adversary would have to consume the energy that it would take to boil the North Sea. I appreciate that quantum computers will actually break RSA, but at the current time, 2K RSA keys are more than enough for good security.

Overall, in public key encryption, there are three main methods that ‘are thought’ to be intractable (‘not easy to solve’);

• Integer factorization problem (IFP): Typically using RSA and where a modulus (N) is difficult to factorize into its prime number factors (p and q). RSA can be used for digital signatures and also for public key encryption.
• Discrete logarithm problem (DLP): Derived from logs (Y=g^x) and made discrete (Y=g^x mod p) with a prime number p. It is difficult to find x, even if we know Y and p. This includes Digital Signature Algorithm (DSA), Schnorr signatures, Diffie-Hellman (DH) key exchange and ElGamal encryption.
• Elliptic curve discrete logarithm problem (ECDLP). Implements a discrete version of an elliptic curve (eg y=x³+7 mod p), and creates elliptic versions of the…