RSA 1024 ridiculous

Simon Valiquette v.simon at ieee.org
Mon Jun 18 23:07:09 CEST 2007 

Atom Smasher un jour écrivit:
> 
> On Sun, 17 Jun 2007, Remco Post wrote:
>> 
>> Does gnupg support elliptic curve crypto? ;-)
> ======================
> 
> if you're paranoid about RSA, then there's no reason to go to ECC since 
> the math behind it is still young and uncertain.

   The algorithm is publicly known since over 20 years, so It start to be 
not that young anymore.  As an argument, ECDSA is one of the recommended 
algorithm by NIST and approved in FIPS 186-2.

   It is also known that the NSA, the government of Canada and probably 
many other countries use ECC to protect at least some of their sensitive 
information.  It seems that ECDSA is also already used by at least some 
banks, but I don't know well enough to be sure.

   Here another argument to support ECC trustiness:

"NSA has determined that beyond the 1024-bit public key cryptography in 
common use today, rather than increase key sizes beyond 1024-bits, a 
switch to elliptic curve technology is warranted."

http://www.nsa.gov/ia/industry/crypto_suite_b.cfm

   Note that NSA also ask that current electronic signatures be strong 
enough to last at least 50 years, which is something certainly not OT on 
this list.


   That said, 2 years ago I was looking at ECC, and then found out that 
there is apparently hundreds of patents in USA, not directly on ECC, but 
on different optimisation, family of curves with special properties, small 
variations with ECC, an unknown number of undisclosed submarine patents 
and so on.  That alone is enough to discourage ECC in free software for 
years (and in closed source software where companies are afraid of being 
sued).

   Another point, and not the least, is that implementing ECC properly is 
very difficult and error prone.  That said, here OSS probably have an 
advantage as scholars will tend to study implementations for which they 
have the source code.

> while a 1024 bit RSA key 
> ~may~ not be secure for a long time, it's old age is due only to computing 
> horsepower, not a "break" in the math behind it. as such, a larger RSA key 
> buys time... and only time will tell if it buys "enough" time for a 
> particular need.

   NIST is saying that RSA-1024 will be ok for up to 2010, but that you 
should prepare to switch to something more secure in the next few years. 
It also means that if there is something you need to protect for more than 
5 years, you should not use RSA-1024.


Simon Valiquette

More information about the Gnupg-users mailing list