key length

Leo Gaspard ekleog at gmail.com
Thu Jun 26 00:40:28 CEST 2014 

On Wed, Jun 25, 2014 at 10:13:04PM +0200, steve wrote:
> Hi all,
> we (GPGTools) had a brief meetup with Nico (he’s contributing to Enigmail) today. He suggested raising the key length default to 4096bit. The idea came via a suggestion from Rüdiger Weiß on the 30C3 congress (https://www.youtube.com/watch?v=1dhCDJ_LVuY).
> We just changed the key length default to 4096bit for new keys created with GPG Keychain Access on OS X.
> We are planning to adjust this default in MacGPG2 for the next stable release.
> Are there any objections to this? Any drawbacks we didn’t think of?
> Best regards, Steve
> @GPGTools
> https://gpgtools.org

May I suggest to read... well, take a random message from the past month (on
gnupg-users at gnupg.org), and that should be it.

To put it in a nutshell, it's pointless, for weaknesses do not come from key
length. The default (2048bit) is a perfectly reasonable default, and edge cases
requiring longer keys should know how to raise key length. Raising the key
length gives a greater feeling of security, not a greater security.

BTW, this makes yet another reason to keep 2048bit as a default: people will be
happy and think themselves smarter than anyone else when raising their key
length, and perhaps even feel *more* secure than if the default was 4096bit
(which is wrong, but a feeling of security is what most people crave in
encryption; otherwise they would not bother to raise their key length).

And, for the argument that RSA-768 was deemed secure: First, there are 2**2560
more keys in RSA-2048 than RSA-768 (yes, this is completely wrong, as it assumes
a constant repartition of primes... 0.141 * 2**2560, that is approx. 2**2557 is
closer, assuming Hadamard -- La Vallée-Poussin is a good approximation for
primes in this range [it is off by far fewer than 1% according to empirical
studies] and any pair of primes makes a valid RSA key).
Then, and this argument is a matter of opinion, I've got no numeric data to
support it, but I believe even RSA-768 still cannot be broken by your wife to
discover you cheated on her. It might be broken by three-letter agencies, but
will they pay that much energy to read your shopping list?

Please, please, do not answer this message. Or, if you really *really* want to
do so, please consult http://bikeshed.com first (thanks to have made me discover
this link, Doug).

HTH,

Leo

More information about the Gnupg-devel mailing list