SSH Agent keys >4096 bit?

Robert J. Hansen rjh at
Fri May 4 14:40:31 CEST 2012

On 05/04/2012 06:07 AM, Hubert Kario wrote:
> It still doesn't change the overall picture:
> 1. migrating to ECC is hard and complicated
> 2. using 8k RSA is easy

Nor does it change

3. using 8K RSA gives a modest increase to an already formidable
   margin of security

Breaking a 128-bit keyspace is hard.  Like, really, really hard.  The
power analysis on that one is eye-popping: to break a 128-bit keyspace
in anything approaching a reasonable length of time requires an energy
output on the level of a hypernova.  If you want to break a 128-bit
keyspace, please do it in a galaxy far, far away.  So why do we need to
increase a 128-bit keyspace (RSA-3K) to a 192-bit-plus-a-small-amount
keyspace (RSA-8K)?

The obvious response is "to defend against enhanced attacks against RSA,
such as quantum computing and Shor's Algorithm."  But that's just crazy.
 Shor's Algorithm requires 2N qubits to break an N-bit key.  Right now
we've got quantum computers that have, what, eight qubits?  Any RSA
modulus smaller than sixteen is in trouble now, let me tell you.

An effective quantum computer with the 6144 qubits required to break a
3072-bit RSA key is straight out of science fiction.  This quantum
computer would be more powerful than any conventional computer could
ever be: a conventional computer would require 10**1850 bytes of storage
-- and no, that is not a typo -- to compete against it: that should give
you a sense of the outrageous scale involved.  There is no other way to
describe this than science fiction.

If you want to defend against science fiction, well, go right ahead.
But I think you should also defend against other sorts of fiction, and I
look forward to hearing how your security model will incorporate G.I.
Joe to fight off the hordes of blue-suited terrorists sent by Cobra

And yes, I really do believe that worrying about the development of
large-scale quantum computers is on the same level of seriousness as
worrying about Cobra Commander.

> What has online/offline net connection anything to do with that? Storing 
> acquired information for 20 years is nothing extraordinary as far as 
> intelligence agencies and highly motivated individuals are concerned.

How many petabytes are sent across the wire each day?  Do you really
think people will be storing all of today's traffic for twenty years,
just so some analyst not even born yet will someday be able to say,
"wow, I really want to see what's in this random guy's porn stash!"?

If you have reason to believe you're a person of such interest to such
professionals as would be likely to monitor and store your
communications for twenty years, here's the only effective way to secure
your communications: stop using any technology more sophisticated than a
frying pan.

bin Laden didn't keep his communications secure by using large RSA keys.
 He kept his communications secure by abandoning technology and using
cut-outs to do his online transactions for him, and making them travel
hundreds of kilometers away from Abottabad before checking into an
internet cafe to send his traffic.

More information about the Gnupg-users mailing list