FAQ: seeking consensus

Tony Lane codeguro at gmail.com
Fri Oct 18 00:30:02 CEST 2019

Hash: SHA512

On 10/17/19 3:38 PM, Steffen Nurpmeso wrote:
> You know, i would say people should be advised to use the most
> compatible, most secure keys available for their "very key".
> Regardless of computing cost that is.  And use specific "weaker",
> "faster" or whatever keys for specific purposes, like tarball
> signing, or whatever.  I have never understood any other advise,
> actually.  I have vague memories of a very "conservative" sentence
> on the use of PGP keys on the mentioned FreeBSD handbook page, it
> must be more than 15 years, and i have only read it once.
> I adhered to that, and i now that all the RSA 4096 things i have
> produced ever since will be safe for quite some time, maybe even
> until i die (which could happen anytime though), unless the
> quantum thing explodes somehow (not a mathematician here).

If you absolutely, positively, _need_ the most bits of security then
RSA4096 shouldn't be your go-to anymore. RSA4096 doesn't actually
provide 4096 bits of security. The _key_ sizes may be 4096 bits, but
you must understand the security comes from the the cardinality of 
prime numbers, so the actual amount of security is only 131 bits of
security. Compare this to RSA's 3072 bit keys providing 125 bits of
security. Unlike RSA, ECC keys don't scale logarithmically. For ECC,
the fields need to be a prime modulus, but that's about it. As a
result, the key sizes scale linearly with the bits of security by
a factor of 2. So, if you want the most security possible with GPG
_today_ you won't beat curve P-521, which provides ~261 bits of 
security, and to get an equivalent in RSA your key size would need
to be at least 15360.

But you have to understand, even 128 bits of security is so
incredibly large that even the combined computing power of every
processor we have now won't be enough to crack it. See:
https://crypto.stackexchange.com/a/48669 for just how effort
it'd take.
By the way, 256 bits of security isn't twice the amount of 128 bits.
129 bits is twice the amount of security of 128 bits. Get it?
If you are curious just how much effort it'd take to break a 256 bit
key, I'd argue that it's physically impossible because there simply
isn't enough energy in the universe to break it... see: 

But I digress. It's not the bits of security that matter anymore.
You have a far bigger chance of being insecure with side-channel
attacks etc, than you are with not enough bits of security. That is
a far bigger security hole... Being on a device that is exposed
to the internet. That's where you'd get cracked. Not the key size
being too small.



More information about the Gnupg-users mailing list