s2k-cipher-mode default

Robert J. Hansen rjh at sixdemonbag.org
Wed Jun 3 17:37:41 CEST 2015

> And now consider the 10**50 messages djb assumes.

Time for me to put out a big "I screwed up" message.  I screwed up: my
math is, in fact, wrong.  I was in a boring meeting today and was
mentally reviewing my math and realized, "wait, there's no way a 2**-78
chance of picking a weak key by accident corresponds to a 10**-53 chance."

I was right.

There are a few different ways you can convert between log bases, but
like many mathematically-inclined people I have an affinity for base e.
 Conversions into and out of base e are really simple.  To convert a
logarithm in base N into base e, multiply by ln(N).  To convert a
logarithm in base e into base N, divide by ln(N).  And so on.

The binary logarithm of 2**-78 is -78.  Multiply that by ln 2 and you
get -53.  2**-78 is e**-53.

You guys see the problem, right?  I converted it into base e, but
neglected to convert it into base 10.  ln(10) is about 2.3.

So 2**-78 = e**-53 = 10**-23.

Yowch.  It's not every day you create an error of thirty orders of
magnitude, but ... there you have it.  (I'm still an amateur, though.
The physics community has an error of 120 orders of magnitude in their
computed value for the cosmological constant, and they still have no
idea where they're screwing up.)

This changes the math slightly.  You now need about 10^20 messages to
have a very small chance of one message being encrypted with a weak key,
not 10^50.  That's still a *huge* number, though, and is greater than
the number of GnuPG messages I expect to ever be encrypted.

I'm still not worried, the conclusion is still sound.  Still, an error
of thirty orders of magnitude should be noted -- and if anyone wants to
point at me and laugh, I definitely deserve it.  :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20150603/c717065e/attachment-0001.bin>

More information about the Gnupg-users mailing list