RSA 4096 ridiculous?

Brian Smith brian at
Wed Jun 20 14:32:03 CEST 2007

Werner Koch wrote:
> > It took me infinitely longer to type the pass-phrase for the signing

> > than it took to actually create the sigs which seemed to be almost 
> > instantaneous. Timing the signing is sort of ridiculous 
> That is true for your desktop box.  However, for small 
> devices like PDAs a 4k RSA key is a lot of work.  The problem 
> might not be the generation or verification of a single 
> signature but some of use have hundreds of signatures on 
> their key and checking them all will take a lot of time.

The software only needs to verify the signatures that are going to
affect the trust of the key. For a lot of people this will usually be a
very small number (0 or 1). Even if a key has hundreds of signatures, it
is unlikely that the user has (a) installed those hundreds of keys onto
the device, and (b) granted key-signing trust to more than a few of

None of the mobile phones I tried had no trouble using RSA 4096 to
encrypt or decrypt a 16 byte key. If the phone has a JVM and/or a web
browser, RSA 4096 and AES should be no problem.


More information about the Gnupg-users mailing list