
Factorization of RSA-250 - kissickas
https://lists.gforge.inria.fr/pipermail/cado-nfs-discuss/2020-February/001166.html
======
zakk
Estimating a cost of 1 cent per core-hour, this cost more than 200k€. Since
INRIA is a national research institute, I am guessing at least part of this
has been paid with taxpayer money, either directly from the Institute or from
grants.

I am wondering how such an expense can be justified.

It's an honest question: I find all of this very exciting and brilliant,
however having written grant proposals myself, I am wondering how could they
'sell' factoring larger and larger numbers as worth funding.

~~~
KCUOJJQJ
Noob here. Could this work as a benchmark and tell us how safe RSA-1024,
RSA-2048, RSA-16384 etc. are?

BTW, why shouldn't everyone switch to RSA-16384? According to
[https://wiki.gnupg.org/LargeKeys](https://wiki.gnupg.org/LargeKeys) "elder
versions supported creating of keys up to 16 KiB." When it was possible to
create 16384 long keys, it must still be possible to use them with new
versions of GnuPG, right? And
[https://www.keylength.com/en/compare/](https://www.keylength.com/en/compare/)
tells me that 16384 bits are way better than 4096 bits. According to "Lenstra
Updated" your data is protected until the year 2153 with 16384 bit keys and
until the year 2060 with 4096 bit keys.

~~~
dippersauce
I would think a primary reason for that is performance. A key that large would
require a lot of entropy for initial generation, a large(r) amount of memory,
as well as making encryption much more computationally expensive. I'd also be
worried that with such large keys there might be greater potential for side-
channel attacks.

~~~
rakoo
It's also much more complicated in practice to exchange huge key files than
the 32 byte string that an EC key is

