Recommended key size for life long key

Leo Gaspard ekleog at
Mon Sep 9 00:54:28 CEST 2013

On Sun, Sep 08, 2013 at 06:29:01PM -0400, Robert J. Hansen wrote:
> A factor of 125 is so small as to be irrelevant.

Well... If factoring takes a month, with the factor of 125, it takes ten years.
Seems not that irrelevant to me.

Of course, this is made using completely made up numbers, as I do not at all
know how fast QC will be able to do the factoring.

> The real obstacle is that Shor's algorithm requires 2n qubits to be
> formed in an ensemble, so you'd be going from requiring a 4k quantum
> computer to a 20k quantum computer.  Given decoherence, that might
> amount to a much more insurmountable obstacle.  Still, my money is on QC.

Strangely enough, I would have thought 4k qubits would be quite a huge need,
thus meaning we would have overcome the major problems with decoherence.

But, again, not being a quantum physicist, I cannot be relied upon on that

> The problem is the exact same thing can be said for RSA-2048.  RSA-2048
> is expected to last at least the next 25 years; it may last for the next
> century.  Hard to say.  Depends a lot on the progression of science
> fiction level technologies, like quantum computation.  And again, anyone
> trying to predict out past about 25 years needs to explain why they are
> able to do this where NIST, RSA Data Security, and so many others have
> failed to be able to do this.

You are right, we do not know whether RSA-2048 will hold or not. The only point
I was saying was that RSA-10k will quite likely (even more likely than NIST's
predictions, IMHO) resist at least as long as RSA-2048.

That said, everything is a matter of preference. The only reason I would see for
using a 10k key would be in order to encrypt or sign documents that should be
valid for years -- more years than what we are able to forecast. Because,
unfortunately (or not, depending on the viewpoint), cryptanalysis is

That said, cheers !


More information about the Gnupg-users mailing list