Best Practices

John Clizbe John at
Fri Dec 10 23:52:33 CET 2010

Robert J. Hansen wrote:
> On 12/9/2010 11:08 PM, David Tomaschik wrote:
>> If a new keypair is generated, what length would be sufficient for a
>> decent (10+ year, preferrably 20+) margin of safety?  I know that there
>> may be unforeseen advances in computing that allow for keys to be broken
>> rapidly (Quantum computing, new sieve algorithms, etc.), but there's
>> surely some guidance based on the current generation of things.
> There is not.  In twenty years we will see commonplace attacks that
> today are just speculative science fiction.  It's incredibly hard to
> make good long-term predictions about crypto.

Good case in point of this, some weeks ago a user on another list was asking
about increasing his RSA key size to 8192 bits, based on reading that "Bruce
Schneier, in _Applied Cryptography_, has recommended a 8192 bit key if you want
it to have a useful lifetime beyond 2015."

It was pointed out, Bruce Schneier has done a lot of great work, but
relying on 14-year-old advice for RSA key sizes ignores current work and best
practice thought in cryptography. Over the summer, readers of the [Cryptography]
mailing list were reminded that in 1993 folks thought that 1024-bit RSA
'should be ok (safe from key-factoring attacks) for "a few decades".'

These are just two examples long term predictions that missed. Back when these
predictions were made, no one foresaw the development of Elliptic Curve
Cryptography which is looking likely to be the "upgrade" path for RSA/DSA2 keys
larger than 2048-3072 bits.

A 3072 bit RSA key is as tough as an ECC key based on a 256 bit field, which is
as tough as a 128 bit symmetric key.

ECC cryptosystems on a 256 bit field are practical today. 3072 bit RSA systems
are not.

John P. Clizbe                      Inet:John (a)
FSF Assoc #995 / FSFE Fellow #1797  hkp://  or
     mailto:pgp-public-keys at

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 499 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101210/8af067be/attachment.pgp>

More information about the Gnupg-users mailing list