Looking for Elgamal sign+encrypt key information

Dennis Lambe Jr. malsyned at cif.rochester.edu
Tue Mar 16 03:45:43 CET 2004

On Sun, 2004-03-14 at 20:47, Kurt Fitzner wrote:
> According to some cryptographers[1],
> 1024 bits isn't even a good minimum today.  One point that
> cryptographers make over and over is that no one should wait until a
> keysize is provably too weak.

The reason to select a large key size is to make cracking your key too
much of a hassle to be practical.  The goal is always to make
circumventing your cryptographic measures not worth doing.

The fact of the matter is that circumventing a secure signature system
isn't really worth doing anyway, so key size on signing keys is much
less of an issue than on encryption keys.  Here's why:

There is no known agent currently capable of wholesale, or for that
matter even targeted, breaking of 1024-bit RSA or DSA keys.

If a malicious agent (the hypothetical Mallory) did have that
capability, it is likely that she would not want that information to be
known.  If it were, the public would upgrade to larger key sizes and all
of that expensive technology would become worthless.

Mallory can continue intercepting and decrypting 1024-bit-encrypted
messages indefinitely without being discovered (unless she is careless
with the data she obtains) because exploiting a cracked 1024-bit
encryption key is an act that can be carried out with an arbitrary
degree of privacy.

If Mallory can break a 1024-bit encryption key through brute force (as
opposed to an algorithm-specific weakness), we can assume that she can
also forge signatures from 1024-bit keys.  This is the case that you are
worried about.  BUT, if she does so even once, she introduces into the
public record an example of a forged 1024-bit signature, and when the
actual owner of that key is confronted with the fake signature (which
would likely happen quickly if the signed document was of any
importance), that owner will know that 1024-bit encryption can be broken
and would be able to document that fact in public.

Once that information is public, 1024-bit encryption will be flagged as
breakable, everyone will know about Mallory's ability, and her
clandestine snooping activities will have been halted.

So if Mallory can break 1024-bit public keys she can use that ability to
snoop on information only so long as the world thinks it is safe from
her.  Breaking a signing key and using it to forge a signature would
destroy that ability by making her ability known.

The fact is that if 1024-bit signing keys were being broken, we'd
probably know it, but we would probably never know whether our
encryption keys were, which is why we have to be a lot more paranoid
about our encryption key sizes than our signing key sizes.


DISCLAIMER: This is just a summary of information I've read over time
written by other experts.  I am no expert myself.  If the experts on the
list disagree with me, listen to them instead.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 279 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20040315/a7ed2e31/attachment.bin

More information about the Gnupg-users mailing list