Looking for Elgamal sign+encrypt key information

Atom 'Smasher' atom-gpg at suspicious.org
Tue Mar 16 05:55:58 CET 2004

Hash: SHA1

> If Mallory can break a 1024-bit encryption key through brute force (as
> opposed to an algorithm-specific weakness), we can assume that she can
> also forge signatures from 1024-bit keys.  This is the case that you are
> worried about.  BUT, if she does so even once, she introduces into the
> public record an example of a forged 1024-bit signature, and when the
> actual owner of that key is confronted with the fake signature (which
> would likely happen quickly if the signed document was of any
> importance), that owner will know that 1024-bit encryption can be broken
> and would be able to document that fact in public.

if a signature is successfully forged, the owner of the key in question
could publicly *assert* that their key was compromised. they would have a
very difficult time publicly *proving* that their key has been
compromised, and an even harder time proving that the compromise was done
through either brute force or a weakness in the algorithm, rather than
leaking the signing key through human error, computer virus, etc. in all
likelihood, even if one's key was really "cracked", they wouldn't be able
to successfully convince anyone of that.

> The fact is that if 1024-bit signing keys were being broken, we'd
> probably know it, but we would probably never know whether our
> encryption keys were, which is why we have to be a lot more paranoid
> about our encryption key sizes than our signing key sizes.

i've heard that logic, but here's one problem with it: let's say i'm
currently using a 1024 bit signing key, and that 10-20 years from now it
becomes feasible to brute-force a key of that size. what happens if
someone comes to me with a perfectly signed document that's then 20 years
old, saying that i owe them $1M? i can say the document has been forged,
they can say it hasn't been. (this of course assumes that a digital
signature is legally binding)

playing around with gpg 1.3.5, i just confirmed that i can use a 4096 RSA
signing key and an SHA512 hash... i think this gives me a signature as
strong as it seems to be, intuitively....? of course, the signature is 13
lines long! when will DSS be adapted to handle a larger keys and hashes?!?

> DISCLAIMER: This is just a summary of information I've read over time
> written by other experts.  I am no expert myself.  If the experts on the
> list disagree with me, listen to them instead.

disclaimer: i'm no expert, especially on the math. and i'm not trying to
disagree, just clarify some points and share my own observations.


 PGP key - http://atom.smasher.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3

	"One may well ask: How can you advocate breaking some laws and
	 obeying others? The answer lies in the fact that there are
	 two types of laws: just and unjust. I would be the first to
	 advocate obeying just laws. One has not only a legal but a
	 moral responsibility to obey just laws. Conversely, one has a
	 moral responsibility to disobey unjust laws."
		-- Martin Luther King, Jr
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures


More information about the Gnupg-users mailing list