milapsheth
commented
2 years ago @sergeynog mentioned that axelar-core rotates keys every day and only keeps around the last 8 keys. So, a 2048 RSA modulus is still secure enough since an attacker only has a small amount of time to break it. Even if axelar-core increases the number of days keys are around for, for reasonable number of days, this is still not a concern.
We're currently using a 2048-bit RSA modulus for the Paillier encryption keypair and the Zk setup. But, it's recommended to use a 3072 or 4096-bit modulus instead. According to (a bit dated) Table 2 (Pg. 64) of NIST SP, RSA 2048 has security of about 112 bits, whereas RSA 3072 has security of 128 bits. Taking into account improvements to factoring algorithms in the future, a proactive approach would be to switch to RSA-4096.
The disadvantage of this is that generation of safe primes becomes quite slow for larger bit lengths. Generating RSA-3072 with our implementation would take 160 secs and RSA-4098 would take 400s.
We might be able to avoid safe primes for the encryption keypair completely, but for the Zk setup we still need it. What are the implications of using only a 2048-bit modulus for the Zksetup but a 4096-bit modulus for the encryption keypair?