Paper 2009/389

On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography

Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra, and Peter L. Montgomery


Meeting the requirements of NIST’s new cryptographic standards means phasing out usage of 1024-bit RSA and 160-bit elliptic curve cryptography (ECC) by the end of the year 2010. This write-up comments on the vulnerability of these systems to an open community attack effort and aims to assess the risk of their continued usage beyond 2010. We conclude that for 1024-bit RSA the risk is small at least until the year 2014, and that 160-bit ECC over a prime field may safely be used for much longer – with the current state of the art in cryptanalysis we would be surprised if a public effort can make a dent in 160-bit prime field ECC by the year 2020. Our assessment is based on the latest practical data of large scale integer factorization and elliptic curve discrete logarithm computation efforts.

Note: Version 2.1

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
NIST Special Publication 800-57Suite B Cryptography80-bit securityRSAinteger factorizationNFSECCElliptic curve discrete logarithmPollard rho
Contact author(s)
joppe bos @ epfl ch
2009-09-01: revised
2009-08-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {Joppe W.  Bos and Marcelo E.  Kaihara and Thorsten Kleinjung and Arjen K.  Lenstra and Peter L.  Montgomery},
      title = {On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography},
      howpublished = {Cryptology ePrint Archive, Paper 2009/389},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.