### Table 3: Comparison of RSA variants. Experimental speedup factors for 1024-bit keys.

2002

"... In PAGE 8: ...60 bits long. Consequently, for security reasons k should not be less than 160. 5 Conclusions We surveyed four variants of RSA designed to speed up RSA decryption and be backwards- compatible with standard RSA. Table3 gives the decryption speedup factors for each of these variants using a 1024-bit RSA modulus. Batch RSA is fully backwards-compatible, but requires the decrypter to obtain and manage multiple public keys and certi cates.... ..."

Cited by 11

### Table 3: Comparison of RSA variants. Experimental speedup factors for 1024-bit keys.

2002

"... In PAGE 8: ...ong. Consequently, for security reasons k should not be less than 160. 5 Conclusions We surveyed four variants of RSA designed to speed up RSA decryption and be backwards- compatible with standard RSA. Table3 gives the decryption speedup factors for each of these variants using a 1024-bit RSA modulus. Batch RSA is fully backwards-compatible, but requires the decrypter to obtain and manage multiple public keys and certificates.... ..."

Cited by 11

### Table 7. The time of RSA and ECC on the ARM9 processors (msec)

"... In PAGE 12: ... The security parameter of the T pairing over F 3 m ,which has 1,024 bits RSA security should be as large as m = 193. The processing speed of RSA and that of ECC over F 2 n and F p are shown Table7 . The speeds of 1,024 bits RSA on 150MHz and 225MHz ARM9 processors are 447.... ..."

### Table 2: Comparable strengths Bits of security Symmetric key

2003

"... In PAGE 38: ... Additional Comments All NIST-recommended curves, key and modulus sizes must be tested to be used in a FIPS Approved mode of operation. For NIST-Recommended elliptic curves, the value of f is commonly considered to be the size of the private key ( Table2 , NIST SP 800-57). From this value the strength can be determined.... In PAGE 65: ...6.1, Comparable Algorithm Strength, contains Table2 , which provides comparable security strengths for the Approved algorithms. Table 2: Comparable strengths Bits of security Symmetric key ... In PAGE 65: ... A 256- bit AES key transport key could be used to wrap a 256-bit AES key. For key strengths not listed in Table2 above, the correspondence between the length of an RSA or a Diffie- Hellman key and the length of a symmetric key of an identical strength can be computed as: If the length of an RSA key L (this is the value of k in the fourth column of Table 2 above), then the length x of a symmetric key of approximately the same strength can be computed as: NIST CMVP Page 65 of 86 ... In PAGE 65: ... A 256- bit AES key transport key could be used to wrap a 256-bit AES key. For key strengths not listed in Table 2 above, the correspondence between the length of an RSA or a Diffie- Hellman key and the length of a symmetric key of an identical strength can be computed as: If the length of an RSA key L (this is the value of k in the fourth column of Table2 above), then the length x of a symmetric key of approximately the same strength can be computed as: NIST CMVP Page 65 of 86 ... ..."

### Table 2: Comparisons of the different RSA variants in terms encryption and decryption times for an n=1024 bit modulus with m=80.

2005

"... In PAGE 11: ...ery efficient. Of course, decryption times for Scheme B are longer than decryption time for Scheme A. Thus, there is a trade-off between Scheme A and Scheme B. In Table2 , we compare an instance of Scheme A and Scheme B with the other RSA variants in terms of the complexity of encryption and decryption for a 1024-bit modulus with security parameter m=80. Here we assume that a random k-bit exponent will require 1.... ..."

### Table 3. Performance Comparison of BF-IBE (on PIII 1GHz) and IB-mRSA (on PIII 800MHz) with 1024-bit security.

2003

"... In PAGE 11: ... In addition, IB-mRSA offers better performance than BF-IBE. As seen from the comparison in Table3 , IB-mRSA is noticeably faster than BF-IBE in both key genera-... ..."

Cited by 7

### Table 4. Years until which common RSA modulus bit-lengths o er adequate protection . . . . . . . . . . . . . . . . . . . . . . . . . 26

in Key Length

"... In PAGE 26: ...year. (optimistic) bit-length (conservative) bit-length year y ( (y)) for = 2:852 for = 1:976 2010 (75) 1112 1153 2020 (82) 1387 1569 2030 (88) 1698 2064 2040 (95) 2048 2645 2050 (102) 2439 3314 Table4 : Years until which common RSA modulus bit-lengths o er adequate protection. modulus (conservative) year yc (optimistic) year yo bit-length for = 1:976 ( (yc)) for = 2:852 ( (yo)) 1024 2006 (72) 2006 (72) 1280 2014 (78) 2017 (80) 1536 2020 (82) 2025 (85) 2048 2030 (88) 2040 (95) 3072 2046 (99) 2065 (112) 4096 2060 (108) 2085 (125) 8192 2100 (135) 2142 (163) Table 3 lists the resulting RSA modulus bit-lengths for both choices for and for several years, and Table 4 lists the years until which several common RSA modulus bit-lengths o er adequate protection, again for both -values.... In PAGE 26: ... (optimistic) bit-length (conservative) bit-length year y ( (y)) for = 2:852 for = 1:976 2010 (75) 1112 1153 2020 (82) 1387 1569 2030 (88) 1698 2064 2040 (95) 2048 2645 2050 (102) 2439 3314 Table 4: Years until which common RSA modulus bit-lengths o er adequate protection. modulus (conservative) year yc (optimistic) year yo bit-length for = 1:976 ( (yc)) for = 2:852 ( (yo)) 1024 2006 (72) 2006 (72) 1280 2014 (78) 2017 (80) 1536 2020 (82) 2025 (85) 2048 2030 (88) 2040 (95) 3072 2046 (99) 2065 (112) 4096 2060 (108) 2085 (125) 8192 2100 (135) 2142 (163) Table 3 lists the resulting RSA modulus bit-lengths for both choices for and for several years, and Table4 lists the years until which several common RSA modulus bit-lengths o er adequate protection, again for both -values. For each year y in the two tables the security level (y) = 56 + 2(y 1982) 3 that o ers adequate protection until year y, rounded upwards to the nearest integer, is given between parentheses (cf.... In PAGE 30: ... [14]), with # hgi 2160 o ers ade- quate protection against subgroup attacks until the year y(1 2 log2 # hgi) y(1 2 log2 2160) = y(80) = 2018: But the fact that the DSA prescribes usage of g 2 (Fp) with log2 p 1024 un- dermines the security level and implies that the DSA o ers adequate protection only until 2006 (cf. Table4 in Section 6). FIPS Publication 186 is currently being revised to support larger key sizes for the DSA.... In PAGE 31: ... Refer to Table 3 for modulus bit-lengths that should o er adequate protection until year 2000 + 10i for 0 lt; i 5. Refer to Table4 for the year until which several common modulus bit-lengths can be expected to o er adequate protection. Discrete logarithm based asymmetric cryptosystems.... ..."

Cited by 1

### Table 3: Minimal RSA modulus bit-lengths for adequate protection until a given year.

in Key Length

"... In PAGE 26: ...Table 4: Years until which common RSA modulus bit-lengths o er adequate protection. modulus (conservative) year yc (optimistic) year yo bit-length for = 1:976 ( (yc)) for = 2:852 ( (yo)) 1024 2006 (72) 2006 (72) 1280 2014 (78) 2017 (80) 1536 2020 (82) 2025 (85) 2048 2030 (88) 2040 (95) 3072 2046 (99) 2065 (112) 4096 2060 (108) 2085 (125) 8192 2100 (135) 2142 (163) Table3 lists the resulting RSA modulus bit-lengths for both choices for and for several years, and Table 4 lists the years until which several common RSA modulus bit-lengths o er adequate protection, again for both -values. For each year y in the two tables the security level (y) = 56 + 2(y 1982) 3 that o ers adequate protection until year y, rounded upwards to the nearest integer, is given between parentheses (cf.... In PAGE 31: ... Factoring based asymmetric cryptosystems. Refer to Table3 for modulus bit-lengths that should o er adequate protection until year 2000 + 10i for 0 lt; i 5. Refer to Table 4 for the year until which several common modulus bit-lengths can be expected to o er adequate protection.... ..."

Cited by 1

### Table 4: Timings for RSA

2000

"... In PAGE 10: ... The implementations were done in C++ using LiDIA [14]. The timings for IQ-DSA, given in milliseconds, and the public key sizes, given in bits, are shown in Table 3, for comparison with RSA see Table4 . Each value is the average over 2000 signatures.... ..."

Cited by 5

### Table 1: Comparison of ECDSA, DSA, and RSA signature operations. All times in ms.

"... In PAGE 8: ... This means that this implementation can deal with RSA, DSA, and ECDSA without reloading the program for every public-key algorithm. Table1 summarizes their results. Notice that 192-bit ECDSA provides slightly stronger security than 1024-bit RSA.... ..."