Key length for integer- and finite-field cryptography

[Robert J. Hansen]

> Take-home: If you are using AES-256, you should max out your key size
> in GnuPG. (It is regrettable that only some versions seem to support
> strong key-sizes.)

Good grief, *no*, *no*, *no*.

This keeps on getting dusted off, and the answer never changes.  Please 
forgive me if I'm a little irate here, but I'm getting really tired of 
people who bring this up without checking the mailing list history.

*If you require 256 bits of entropy throughout, you need to use 
something other than GnuPG.*  PGP stands for "Pretty Good Privacy."  Not 
perfect privacy, just pretty good, and not 256 bits of entropy 
through-and-through.  In fact, OpenPGP can only really be relied upon to 
provide 112 bits of entropy[*].

The take-home is the same as it's always been.  "If you need X bits of 
entropy, check to make sure each step in the link provides at least X 
bits.  If some provide more, that's fine."

The average user will be well-served by 112 bits of entropy.  That means 
RSA-2048 works just fine for the average case.  If a user who's 
well-served by 112 bits of entropy wants to use AES-256, there's nothing 
wrong with that, and the suggestion that they should revoke their 
certificate and patch GnuPG to produce 16kbit keys is *just* *flamingly* 
*wrong*.

Using AES-256 is *not* a good reason to start using RSA-16k.



[*] if you want to know why this is the case, check the mailing list. 
Short version: you have no control over what algorithms your 
correspondents use, and they can always choose 3DES.