Recommended key size for life long key

Doug Barton dougb at
Mon Sep 9 00:25:29 CEST 2013

On 09/08/2013 02:00 PM, Leo Gaspard wrote:
> And this means that, as long as the drawbacks associated with the use of the key
> are assumed by the key owner only (as the tables state, encrypt and verify
> operations being almost unchanged in time), preconizing 10kbit RSA keys is no
> issue, and can only improve overall security, to the key owner's usability's
> detriment at most.

The problem here is the "knowledge sieve" issue. Ole asked some 
questions and did some research, then filtered what he got back through 
a mixture of his preconceived notions, desires, etc. I'm not saying that 
he picked only the data that agreed with his desired conclusion, but he 
seems to have studiously ignored all of the facts that point to why what 
he's trying to do is a bad idea.

Now the next reader is going to come along, very likely someone who is 
more naive about encryption than Ole is, and filter that blog post 
through his own preconceptions, impatience, etc.; and come to the 
conclusion, "If I make a 10k key it'll be safe for life!" Has Ole done 
this reader a disservice?

I think the biggest disservice is a false sense of security. If your 
attacker can only pole vault 10 meters, and you already have a fence 
1,000 meters high, does a 100,000 meter fence make you any more secure? 
And what happens if your attacker develops a technique that is 
universally effective against all fences, no matter the height?

The flip side question is, "What harm is there to using a 10k key?" 
Aside from CPU and storage for the user of the key, everyone else in the 
community bears part of the "cost" when they have to verify a signature 
on an e-mail, for example. Is that a serious enough problem to cause us 
to wish no one would suggest the use of 10k keys? I don't know.

... and all of this is presupposing that his "only a guess" has any 
validity to it at all. I don't know the work by Arjen K. Lenstra and 
Eric R. Verheul that he based his graph on, and I have no idea if Ole's 
method of projecting key sizes out into the future is valid. What I DO 
know (and Robert emphasized this point in his first post), is that those 
authors, and other serious heavyweights in the crypto community have not 
felt comfortable doing what Ole has done. That fact alone should be 
enough reason for anyone not to take Ole's blog post seriously.


More information about the Gnupg-users mailing list