Key length for integer- and finite-field cryptography

Robert J. Hansen rjh at sixdemonbag.org
Thu Aug 7 21:21:27 CEST 2014


> Generally agreed. (I'm assuming you mean 'security strength' when
> you write 'entropy'; hopefully GnuPG can use arbitrary amounts of
> entropy if the system RNG can provide it.)

No, I meant entropy.  Entropy is a measurement, not a thing.  (Well, not
at the macro level.  On a quantum scale it gets very thing-like.)  For
that reason it's not correct to say "GnuPG can use arbitrary amounts of
entropy," because entropy isn't a thing to be used.  Yes, you'll see
people -- including me, from time to time -- talk about entropy as if it
were a thing, but really, that's sloppy language and we (myself
definitely included!) should strive for accuracy.

Entropy measures the amount of uncertainty present in a system, and is
normally calibrated in either nats, shannons or harts.  "Bit" is used
more or less synonymously with shannon, although really, we should be
talking about shannons.  One nat is 1.44 Sh or .434 harts.

So, yes, I stand by what I said, except that if you're giving me the
chance at a do-over I'll change one word.  :)  "If you need 256 shannons
of entropy throughout, you need to use something other than GnuPG."

> Completely in agreement; do you disagree with the RSA bit-lengths I
> mentioned?

NIST is a very reputable outfit with some very sharp people.  No one
should listen to my opinion over theirs.  For that reason it doesn't
matter if I agree or disagree with them.

However, I will point out that there have been other very reputable
outfits with other very sharp people who have reached different
conclusions.  ENISA's key equivalencies are different from NIST's, for
instance...

> Using AES-256 is *not* a good reason to start using RSA-16k.
>
> But wanting a 256-bit security strength is, right?

Not really.  Decisions ought be driven by needs, not by wants.  If you
can get more uncertainty than you need without heartburn, go for it, but
telling people that they should patch GnuPG and use an unsupported
RSA-16k key just because they want 256 shannons of entropy is ... a bit
much.

Attend to your needs, and take what opportunities present themselves for
extra margins of safety where possible.  But don't go overboard chasing
those extra margins.



More information about the Gnupg-devel mailing list