invented, 80 secure bits for collision o 2005, Wang Xiaoyun, Finding Collisions in the Full SHA-1, 69 secure bits o 2017, Marc Stevens, The first collision for full SHA-1, 63 secure bits o 2020, Gaëtan Leurent, …, 61 secure bits • RSA o RSA2048: before GNFS(1990), it's ~1024 secure bits, after, 112 secure bits • AES o AES128: now 128 secure bits o After PQC: 64 secure bits (Grover's Algorithm) • So always add a buffer if you need a longterm secret(cert, …)