encryption algorithm

Robert J. Hansen rjh at sixdemonbag.org
Tue Dec 17 23:04:08 CET 2013

> so strong algorithms by default is a good idea.

Yes, which is why RSA-2048 is recommended.

I don't understand the reasoning by which you have concluded that I am  
advocating RSA-1024.  I'm not.  I think the default of RSA-2048 is a  
good one.  I'm only saying that for most users and most purposes,  
RSA-1024 is sufficient; to reach "virtually all users" and "virtually  
all purposes" we have to move to RSA-2048.

> I'm not sure how you get this claim from these reports...

Simple: I'm human and I misremembered NIST's "secure until 2030" as  
"secure for 30 years".  :)

> what it looks like to me.  For example, ECRYPT 2012's report sees
> 2432-bit RSA as equivalent of 112 bit symmetric cipher, which it claims
> is acceptable for ≈20 years.  Please see section 7.2:

NIST's guidance says 2048-bit RSA is equivalent to 112 bits of  
symmetric cipher, as does ENISA and RSADSI.  ECRYPT is certainly free  
to come up with their own metric; they're a competent outfit.  But  
let's acknowledge that ECRYPT's opinion is a minority one, rather than  
cherry-pick an outlier opinion and declare it to be authoritative.

> According to ECRYPT 2012 (same report referenced above), RSA 1024 falls
> in at the equivalent of about 73 bits of symmetric cipher.  According to
> the authors, this is  "Short-term protection against medium
> organizations, medium-term protection against small organizations", not
> "a First World government".

NIST puts it in at 80 bits.  Let's not forget how long it took the  
RC5-64 project to exhaust a 64-bit key.

Can it be broken?  Sure.  Easily?  No.  If you're worried about Google  
being able to mine your message for targeted ads, that's plenty  
enough.  If you're worried about your local sysadmin reading your  
personal mail, that's plenty enough.  If you're sending Vladimir Putin  
slashfic to a Russian publisher, maybe you should rethink using such a  
short key.

> While i don't agree with adrelanos' entire draft, i do agree that the
> default key size for gpg should be larger.

Yes.  You've made this opinion abundantly clear many times.

More information about the Gnupg-users mailing list