RSA or DSA? That's the question

Robert J. Hansen rjh at sixdemonbag.org
Fri Sep 7 22:54:03 CEST 2007


Noiano wrote:
> In my openpgp preferences in thunderbird I've tried to set sha-256 but I
> got an error saying it was only possible to use sha-128. What went wrong?

Beats me, but I'm sure the other Enigmail users on-list will chime in
with helpful advice.

> 0_0 I didn't know that....what a bad news!

It's not catastrophic news.  Just because it may be feasible to break
_one_ key that way in five years doesn't mean _all_ keys will need to be
retired.  As an example, I would feel fairly safe using 64-bit symmetric
encryption for my email today, despite the fact distributed.net has
cracked RC5/64.  I don't think people who want to read my email are
willing to invest the thousands of computers and the 18 months that it
took distributed.net, after all.

However, for people who have very, very high security needs, RSA-1024
needs to be considered to be living on borrowed time.

> DSA keysize is 1024 and cannot be changed. Does the considerations above
> apply to a dsa key?

Yes.  No.  You can get a Ph.D. for studying this question.

The current best way to attack the integer factorization problem (the
mathematical heart of RSA) is the general number field sieve (GNFS).
GNFS can also be used against the discrete logarithm problem (the
mathematical heart of DSA and Elgamal), but the memory requirements
become... weird.  Currently we think the memory requirements become
enormous, far far exceeding that required for attacking the IFP, but I'm
aware of no proof that the memory requirement _must_ be that large.

Best advice: don't panic and don't overreact.  If RSA-1024 won't do for
your needs, then DSA-1024 needs to be considered suspect, too.  If
RSA-1024 will do for your needs, DSA-1024 probably will, too.




More information about the Gnupg-users mailing list