SSH Agent keys >4096 bit?

Milo gnupg at
Sat May 5 10:37:35 CEST 2012

On 05/05/2012 01:57 AM, Robert J. Hansen wrote:
> On 05/04/2012 04:35 PM, Milo wrote:
>> Yes - niche, proof-of-concept, poorly analyzed ciphers. Let's talk
>> about those widely used and considered mainstream. Those are our
>> biggest concern.
> McEliece is almost as old as RSA.  Generations of graduate students have
> tackled it in cryptanalysis courses.  Almost a thousand academic papers
> have been published on it.  None have shown any significant weaknesses
> in McEliece.
> Its inventor, Robert McEliece, received the Claude E. Shannon Award a
> few years ago.  What the Fields Medal is to mathematics, or the Turing
> Prize is to pure computer science, the Shannon Award is to information
> theory.
> On the one hand, we have a cipher designed by a Shannon recipient which
> has had almost a thousand papers published about it without any really
> significant results.  On the other hand, we have you calling it a niche,
> proof-of-concept, poorly-analyzed cipher.

This is futile. I'm reminding you that you are giving one example of
rarely used algo (so _niche_ and _out_of_mainsteam_) to back your
statement "that there is good amount of them".

>> I'm not suggesting that longer key for asymmetric ciphers is a cure
>> for quantum computing backed cryptanalysis.
>> I wrote about possible, future way of circumventing need of sucking 
>> nova's energy to successfully attack cipher(text).
> (...)
> Any of the four puts us back into the realm of science fiction.  If
> you're advocating making keys larger, I'd like to know which of the four
> science fiction breakthroughs you expect might happen.  And no matter
> which of the four you choose, I'll point out that should your chosen
> breakthrough come to pass, we will all have much bigger things to worry
> about than whether our 20-year-old communications are still safe.

This is possibly really big thing to worry. Especially in countries
where pizza is vegetable... But again - you are doing another try to
revalue data which isn't yours with your "value system".

>> Thanks for pointing that but in considered situations this is slight 
>> difference.
> Halving the strength of a 128-bit cipher leaves you with 127 effective
> bits of security.  Rooting the strength of a 128-bit cipher leaves you
> with 64 effective bits of security.  The former is still well beyond our
> ability to brute-force: the latter is well within our ability to brute
> force.  I don't consider this to be a slight difference.

"(...) Thus in the presence of large quantum computers an n-bit key can
provide at least n/2 bits of security."

Slight difference. I don't have more comments.

>> You can't tell consumer or end-user that he can't use 256-bit,
>> symmetric cipher for his (even!) porn stash because this is some kind
>> of faux pas and he is iconoclast because of this.
> I cannot force someone to not use a 256-bit cipher, true.  I can
> certainly point and laugh at people who believe using one makes them
> more secure, though.
> Nobody has the right to be taken seriously.  That's a privilege that
> must be earned.

In context of this discussion your statement is ridiculous. At one point
you even agreed on using 256-bit symmetric cipher for 50+ years
confidentiality (not guaranteed but at least assumed or expected) and
now you are turning all things around.

You are not able to understand that people can get better security
margin dirt-cheap and some stuff can be worth for them of securing for
long, long years. Calling them "not serious" because of picking 256-bit
symmetric cipher is... Well I don't have more comments here.

>> Really? Then what's the reason behind 256-bit hw-supproted crypto
>> (e.g. AES instructions for amd64 and x86), widely accessible on
>> consumer market which has nothing to do with nuclear weapons?
> Marketing.

No. Healthy security margin.

> The dirty little secret of crypto is that we've had a *great* symmetric
> cipher ever since the mid-1970s: 3DES.  It's big.  It's ungainly.  It's
> slow.  It has all the aesthetics of the Soviet Realism school of art.
> It's very hard to code up because there are so many fiddly bits.  And
> yet, 3DES has been turning the best minds in crypto into burned-out
> alcoholic wrecks for the last 35 years.
> It has been undergoing constant attack for 35 *years*.  Entire new
> branches of cryptanalysis have been invented just to try and dent it.
> These approaches have all failed miserably.
> There are a few niches where 3DES doesn't work very well.  If you need a
> cipher that can encrypt a 1000baseT connection, you're better off using
> something faster.  If you need it on a smartcard, you're better off
> using something more space-efficient.  But for the rest of the problem
> space, 3DES has been rocking the house for almost as long as I've been
> alive.
> So here's the question: why isn't 3DES used in more places?
> Marketing.  Because people -- both in the private sector and in the Free
> Software world -- want to be able to say they support the latest and
> greatest and best thing.

3des is old and it's providing something like 80-112 bits of security.
It has ugly history of keying hacks and some aren't back compatible -
which is ugly. Your "porn stash" (in metaphorical sense. possibly) can
be safe today, but not tomorrow. It's not marketing.


More information about the Gnupg-users mailing list