Seperate RSA subkeys for decryption and signing or one for both?

Nicholas Cole nicholas.cole at
Tue Dec 4 17:07:26 CET 2012

On Tue, Dec 4, 2012 at 12:19 PM, Hubert Kario <hka at> wrote:
> On Monday 03 of December 2012 12:41:10 Hauke Laging wrote:
>> Hello,
>> are there arguments for preferring either
>> a) having one RSA subkey for decryption only and one for signing only
>> or
>> b) having only one RSA subkey for both decryption and signing?
>> Do any problems arise with the smartcard if the same key shall do different
>> tasks?
> Keys can become "used up" so it entirely depends on how often you use it.
> What I mean by that, is that any signing operation leaks some information
> about the key used for signing (generally far less than few tens of a bit).
> If you have signed tens of thousands of documents with it, an attacker can
> recover substantial portion of the key and speed up the key recovery.

Do you have a reference for this? I thought the major reason to use
separate signing/encryption keys was that if a user could be persuaded
to sign a chosen encrypted text with the same key, the decryption key
would be revealed.

I've never read before that a key could be "used up" in this way.

More information about the Gnupg-users mailing list