RSA key security levels
| RSA key size | Classical security | Post-quantum security | NIST status | Verdict |
|---|---|---|---|---|
| 512-bit | ~40-bit | Broken | Prohibited | Broken (1999) |
| 768-bit | ~60-bit | Broken | Prohibited | Broken (2009) |
| 1024-bit | ~80-bit | Broken | Prohibited since 2013 | Do not use |
| 2048-bit | ~112-bit | Broken (quantum) | Acceptable until 2030 | Migrate soon |
| 3072-bit | ~128-bit | Broken (quantum) | Recommended | Migrate to PQC |
| 4096-bit | ~140-bit | Broken (quantum) | Strong classical | Good, but plan PQC |
| Kyber-768 | 192-bit | 192-bit | NIST FIPS 203 | Quantum-safe |
Why RSA is vulnerable to quantum computers
RSA security relies on the difficulty of factoring large integers — a problem that classical computers cannot solve efficiently for large key sizes. However, Shor's algorithm, running on a sufficiently large quantum computer, can factor RSA moduli in polynomial time — making all RSA key sizes theoretically breakable.
The critical question is not if quantum computers will break RSA, but when. Current estimates suggest cryptographically relevant quantum computers (CRQCs) capable of breaking RSA-2048 could exist between 2030 and 2040.
What is the public exponent?
The RSA public key consists of two numbers: the modulus (n) and the public exponent (e). The standard value is 65537 (0x10001) — a prime chosen for efficiency and security. Unusual exponents like 3 can introduce vulnerabilities in some implementations.
References
- NIST SP 800-57 — Recommendation for Key Management
- Lenstra et al., "Ron was wrong, Whit is right" (2012) — RSA key analysis at scale
- NIST Post-Quantum Cryptography Standardization