Should I be using gpg or gpg2?

Robert J. Hansen rjh at sixdemonbag.org
Tue Sep 29 18:04:59 CEST 2015


> AFAIK RSA-3072 (and ElGamal-3072) are comparable to AES-128.

No: they're comparable to AES-128 *at our present level of mathematical
knowledge*.  That's a very important qualifier.

Back in the mid-to-late '80s, Ron Rivest declared that 1024-bit RSA keys
would be unbreakable for at least the next century.  The initial
releases of PGP 2.6 offered 512-bit, 768-bit, and 1024-bit keys, and
people recommended against using 1024-bit keys the same way we recommend
against 16384-bit keys today.  And, at the time these predictions were
made, there was every reason to think they were accurate.  They just all
made the same error, which was thinking the quadratic field sieve
couldn't be improved upon.  That was a conjecture.  It turned out to be
false.

When the general number field sieve was invented, almost immediately
afterwards factoring records began to fall.  Today, 512- and 768-bit
keys are considered grossly inadequate, and a 1024-bit key is on the
razor's edge of adequacy.

I don't know when the next mathematical revolution (something like the
general number field sieve) will come along.  But when it does, it's
going to really upend the apple cart and our RSA-3072 keys aren't going
to be equivalent to AES-128 any more.

> That's strong enough for the forseable future; the only known thing 
> they are vyulnerable to (except for rubber-hose cryptography, 
> keyloggers and other "cheats") is a working quantum computer.

No, they're vulnerable to some graduate student slurping up a bowl of
ramen who looks at something on the blackboard and says, "hey, that's
weird."  It's happened before: look into George Dantzig.

Dan Boneh has already published an awe-inspiring paper showing that RSA
isn't anywhere near as safe as we think it is:

http://crypto.stanford.edu/~dabo/abstracts/no_rsa_red.html

Breaking RSA is not equivalent to factoring; it's possible to break RSA
without needing to factor large numbers.  We just don't know how and
we've made precisely zero headway on that question.

But you never know when a George Dantzig will appear.  And that means I
think your long-term confidence in RSA is misplaced.



More information about the Gnupg-users mailing list