Beyond Curve25519

Robert J. Hansen rjh at
Fri Jan 16 18:24:25 CET 2015

> Funny... people told that as well with RSA key sizes which are 
> nowadays no longer considered enough... o.O

Back in the early 1990s, a 1024-bit RSA key was believed to be unassailable.

A 1024-bit key is still today considered unassailable... it just doesn't
have anywhere near the security margin that we want.  We advise at least
2048-bit keys to give us a comfortable margin, not because we believe
people are breaking 1024-bit keys.

To give an idea: for to exhaust a 64-shannon keyspace
took them about five years.  They're currently working on exhausting a
72-shannon keyspace, which they project will take about 200 years.
Exhausting an 80-shannon keyspace (about the same as a 1024-bit RSA key)
would take about 5,000 years at that pace, or one year and 5,000 times
the resources of

1024-bit crypto is still strong today.  It's just not as strong as we'd
like and we can do better with few side effects, so let's do better.  :)

> It's really disturbing to read such statements (i.e. "xxx bit 
> security level will be secure forever - except for quantum 
> computers)... it seems as nothing would have been learned from the 
> past :-/

No one will ever exhaust a 128-shannon keyspace until we have
large-scale quantum computers and a few decades in which to operate.

No one will ever exhaust a 256-shannon keyspace.  Ever.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20150116/8295f42f/attachment.bin>

More information about the Gnupg-devel mailing list