SSH Agent keys >4096 bit?

Milo gnupg at
Fri May 4 22:35:01 CEST 2012

On 05/04/2012 05:13 PM, Robert J. Hansen wrote:
> On 05/04/2012 10:17 AM, Milo wrote:
>> Well, many expect rise of the quantum computing during lives of most
>> of us. This can trash most (if not all) asymmetric algorithms
>> (Shor's algorithm)
> No.  It can trash *some* asymmetric algorithms.  There are a good number
> of asymmetric algorithms whose decision problem exists outside of BQP.
> (McEliece, for instance.  For those wondering what BQP is, it's the
> quantum computing analogue to P: it describes those problems you can
> solve in a reasonable time with a quantum computer.)

Yes - niche, proof-of-concept, poorly analyzed ciphers. Let's talk about
those widely used and considered mainstream. Those are our biggest concern.

> I do not understand how, if you're concerned about quantum computing,
> you can believe "it will all be better if we just use larger keys!",
> rather than "it will be better if we use algorithms that cannot be
> efficiently solved by a quantum computer."

I'm not suggesting that longer key for asymmetric ciphers is a cure for
quantum computing backed cryptanalysis.

I wrote about possible, future way of circumventing need of sucking
nova's energy to successfully attack cipher(text).

>> and reduce strength of symmetric ciphers in half (with for example
>> Grover's algorithm).
> Not half, reduce the strength of symmetric ciphers by a square root.  A
> 128-bit cipher's strength is not halved (which would make it 127-bit);
> it's reduced to the equivalent of 64 bits (the square root of 128 bits).

Thanks for pointing that but in considered situations this is slight

>> Beside this consider widespread usage of 256-bit symmetric ciphers.
>> If things you are writing are all the truth behind key length
>> security we are dealing with huge, mass overkill or even scam
>> perhaps. But I think we aren't.
> It's worth noting that, per Suite B, 256-bit crypto is only required for
> material that's at the top of the classification pyramid: things like
> nuclear weapon release codes and other things that might cause 300
> million people to have a really bad day.

You can't tell consumer or end-user that he can't use 256-bit, symmetric
cipher for his (even!) porn stash because this is some kind of faux pas
and he is iconoclast because of this. It's up to him. Especially he can
get this for almost same price (We can easily count CPU cycles,
electricity used and so on, but from practical point of view difference
is slight).

> 128-bit crypto is considered quite sufficient for the rest of the
> nation's secrets.

Really? Then what's the reason behind 256-bit hw-supproted crypto (e.g.
AES instructions for amd64 and x86), widely accessible on consumer
market which has nothing to do with nuclear weapons?

> Also, some people are using symmetric crypto for secrets that must be
> preserved for 50+ years -- census data, for instance.  If you're
> concerned about 50+ years of confidentiality, then yes, it makes sense
> to go hog-wild on key lengths.  But for the rest of us, the
> confidentiality of our communications will be better-served by many
> other measures than just adding more bits to the key.

One more time - this is not up to you or software authors to decide
what's the value behind encrypted data. Even if reason of encrypting it
is silly.

>> Just like modern cellphones' CPU/GPUs are s-f from Apollo mission's 
>> engineers' perspective, just like "640K ought to be enough for
>> anybody" and like 32-bit address space for IP protocol is more then
>> enough. History is showing quite clearly that such speculations
>> despite - ofte high - competencies of the authors are missed.
> (...)
> Introduce quantum algorithms, though, and suddenly quite respectable
> computer scientists suddenly start sweating bullets and saying, "uh, I
> don't quite know about this, umm, *in theory* it will be kind of like
> this, but the practical ramifications are ... hey, look at the time,
> gotta go."
> 6000-qubit quantum computers are a magic so subtle they are
> indistinguishable from high technology.  They might, if we are
> fortunate, be invented in our lifetimes -- but let's not go about saying
> we need 8K RSA keys to defend against 6000-bit quantum computers.  If
> quantum computers bother you that much, use McEliece.
>> Please try to avoid comedic undertone of your statements and
>> comparisons if you want to keep discussion's level sane.
> The discussion was already profoundly silly: the overt comedic
> statements drew attention to this.  Successfully, apparently.
> (...)
>> Giving users easier-then-hacking-through-sources way of setting
>> bigger key size isn't a crime.
> No, but there's no point in it, either.  Frankly, I'd rather the GnuPG
> developers spent their time on pursuits that are more reasonable and
> will give a better return on investment.

Well, this could be won-won approach for both "camps" because of the
outcome/effects of devs' work.


More information about the Gnupg-users mailing list