SSH Agent keys >4096 bit?

Robert J. Hansen rjh at
Sat May 5 14:20:19 CEST 2012

On 5/5/12 4:37 AM, Milo wrote:
> This is futile. I'm reminding you that you are giving one example of
> rarely used algo (so _niche_ and _out_of_mainsteam_) to back your
> statement "that there is good amount of them".

"Rarely used" is not the same as "proof of concept."  Your statement did
not mention "out of the mainstream."  No moving the goalposts, please.

You were also arguing that QC would shred all or most asymmetric
systems.  It turns out that no, QC doesn't, can't, won't: it will only
shred the discrete logarithm problem or problems isomorphic to it, such
as integer factorization.  Other systems, whether multivariate, lattice
or Goppa code-based systems, won't be.  (Well -- lattice systems might:
right now they're only conjectured to be outside of BQP.  But Goppa
codes are well-known for being NP-hard.)

If you're now claiming that I've only presented one system, well, that's
because I wasn't aware you were looking for the kitchen sink.  Do some
reading on post-quantum cryptography.  As I read the tea leaves the new
hotness is in the lattice-based systems, but I think systems based on
Goppa codes will continue to surprise us.

> In context of this discussion your statement is ridiculous. At one point
> you even agreed on using 256-bit symmetric cipher for 50+ years
> confidentiality (not guaranteed but at least assumed or expected) and
> now you are turning all things around.

Not at all.

If you're securing nuclear weapon release codes and you ask me, "is it
okay if I use 256-bit crypto?", I will blink a few times and back away
slowly from the thermonuclear weapon while nodding vigorously and making
noises about how they must be secure for fifty years or more, oh and is
that thing releasing radiation right now and where do you plan on
storing this so I can live far away from it.

If you're securing your recipe book and you ask me, "is it okay if I use
256-bit crypto?", I will smile and pleasantly explain that, really, past
about 112 bits it's just an exercise in paranoia.  Use whatever you
like, but managing your keys will be a much more important task than
deciding between 3DES and AES256.

And if you're telling everyone that AES256 will give them a larger
security margin than 3DES, well... at that point I'm going to start
pointing and laughing.  There is enough misinformation and half-truths
floating around the crypto-hobbyist's world: I consider it to be a
polite act towards the community to challenge this when I encounter it.

> 3des is old

Old software engineering joke: "legacy code (n): code that hasn't
crashed in the last 40 years."

You call 3DES old.  I call it quite well tested in demanding production
environments.  More often than not when you swipe a credit card, 3DES is
being used to secure the transaction at various critical points.

> and it's providing something like 80-112 bits of security.

The best attack against three-key 3DES requires almost 10^27 bytes of
RAM.  This is completely impractical, as even the inventor of the attack
has said.  To the best of our knowledge there is no effective way to
reduce three-key 3DES, which is the only NIST-approved version, below
168 bits of key space.

> It has ugly history of keying hacks and some aren't back compatible -

... I have absolutely no idea what you're talking about here.  None.

More information about the Gnupg-users mailing list