Recommended key size for life long key

Pete Stephenson pete at
Sat Aug 31 21:52:30 CEST 2013

On Sat, Aug 31, 2013 at 7:41 PM, Ingo Klöcker <kloecker at> wrote:
> On Saturday 31 August 2013 11:46:31 Ole Tange wrote:
>> The FAQ
>> ize recommends a key size of 1024 bits.
>> Reading I am puzzled why GnuPG
>> recommends that.
>> Why not recommend a key size that will not be broken for the rest of
>> your natural life? (Assuming the acceleration of advances in key
>> breaking remains the same as it has done historically, thus no attack
>> is found that completely destroys the algorithm used).
>> I just generated a 10kbit RSA key. It took 10 minutes which is long to
>> sit actively waiting, but not very long if you are made aware it will
>> take this long and just leave it in the background while doing other
>> work; and to me 10 minutes (or even 10 hours) is a tiny investment if
>> that means that I do not loose the signatures on my key by changing
>> key every 5 years.
> Now try sending a message signed with this key to yourself. And then try
> verifying the signature on this message. And then imagine doing the same
> on a mobile phone with a processor that is 10 times slower than that of
> your PC. I'm pretty sure that this will make you realize that a 10kbit
> RSA key is a PITA for everybody, for you when you sign messages or other
> people's keys and for others when they need to verify your signatures.
> Once you've realized this you might understand the recommendation in the
> FAQ. BTW, the FAQ recommends creating a 1024 bit DSA key; IIRC this is
> more or less equivalent to a 2048 bit RSA key.

According to the site that Ole linked to, discrete
logarithm keys (i.e. those using DSA) are essentially equivalent to
RSA keys in terms of strength. That is, a 2048-bit DSA key is
essentially the same as a 2048-bit RSA key.

That said, the FAQ does appear to be out of date: the default these
days is 2048-bit RSA keys. If one were to generate a new key today,
1024-bit DSA or RSA is a bit short. For most purposes, it probably
wouldn't hurt to generate >= 2048-bit keys as this would likely be
secure for the reasonable future. 3072-bit DSA/4096-bit RSA would be
good for a bit longer, barring any major advances in cryptanalysis --
it's unlikely that an adversary is going to try breaking the crypto
when there's so many other, more feasible means of eavesdropping (e.g.
putting malware on one's computer).

Hopefully GPG supports ECC keys in the near future: 521-bit ECC keys
would offer 256 bits of security while being considerably more
manageable than massive 10k+ RSA keys.


Pete Stephenson

More information about the Gnupg-users mailing list