Draft of nine new FAQ questions

[Nicholas Cole]

> ---re #5:  Is RSA-2048 really enough?
>
> ***start 2nd sentence : And other organizations to whom encryption
> is important (such as RSA...***  [The world changes, and maybe
> an explicit endorsement might not be so appropriate tomorrow,
> but embarassing or similar to change then.  Just mentioning them
> is an implicit endorsement, IMHO of course]
> According to NIST, yes. Further, other well-respected organizations (such as
> RSA Security) have publicly supported NIST's recommendations.
>
>  . . .
> key recommendations have been superseded by those in Practical Cryptography,
> which, to repeat, says ***replace "says" with
> "estimates"*** RSA-2048 will be sufficient until the mid-2020s.
>
>
> ---re #6:  Can any of the ciphers in GnuPG be brute-forced?
>  . . .
> ***In terms of current scientific understandings, the symmetric
> ciphers used in GnuPG are utterly***
> The symmetric ciphers used in GnuPG are utterly immune to
> brute forcing.  The Second Law of Thermodynamics places strict
>  . . .

and

> 7.6  .... 2048-bit keys are believed to be immune to brute-forcing until at least 2030.



There's a slight confusion in these answers that I think it would be
really helpful to address in an FAQ.

On the one-hand, this new FAQ suggests that attacking a 2048 key is
already so unfeasible that to suggest that a 3072 key would provide
additional security is a nonsense.  On the other hand, there is a
sense that 2048 keys might only provide adequate security until the
mid-2020s / 2030.

Is that because the break-through that is anticipated by the second
statement is some kind of quantum computing success or some similar
advance that completely breaks RSA (and all PKI)?

In other words, what really is the status of a statement like "2048
RSA is believed safe until 2030"?  Back in the 1990s, such predictions
were based on a sense of increasing computing power, and it was
possible to predict with reasonable accuracy when (for example) 512
bit RSA would look possible to factor at imaginable cost.  Is the
"safe until 2030" prediction of a similar quality or just a guess at
when technologies that are currently science fiction might look
possible?

I only raise these points because this has become such a recurrent,
sometimes even tiresome theme on this mailing list, that I'd really
like the FAQ to be as comprehensive as possible.

To put the question in the form that sometimes comes up on this list -
what if one wants security until 2040?  Would a 3072 key make sense in
that case or not?

Not that I think my own security needs, by the way, need anything more
than a 512 RSA key, if that...  ;-)

Best wishes,

Nicholas