<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 15, 2015 at 2:54 PM, John Gilmore <span dir="ltr"><<a href="mailto:gnu@toad.com" target="_blank">gnu@toad.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> Right now we do have a defacto consensus algorithm suite:<br>
><br>
> SHA-2-256<br>
> HMAC-SHA-2-256<br>
> AES128 CBC<br>
> RSA-2048<br>
> ECDH-256<br>
><br>
> The main problem with this set is the RSA part and in particular key<br>
> generation which is difficult and painful. The strength is not ideal either<br>
> and RSA really hits diminishing returns above 2048 bits.<br>
<br>
</span>This seems like yet another example of Binary RSA Myopia.<br>
<br>
If the cost of RSA at 2048 bits is too high, why not use 2016 bits?<br>
Or 1984 bits? Or 1600 bits? Or 1216 bits? (NSA's 1024-bit RSA-<br>
cracker won't work on a 1216-bit prime. It probably won't even work on<br>
a 1056-bit prime, since myopia has caused fools to 'standardize' on<br>
1024-bit keys and now a huge majority of TLS keys are 1024 bits.)<br></blockquote><div><br></div><div>Read and respond to what I wrote if you want to accuse others of myopia. Your eyesight is clearly faulty.</div><div><br></div><div>"The strength is not ideal"</div><div><br></div><div>RSA2048 is reckoned to present a work factor of 2^112 which falls short of the 128 we prefer.</div><div><br></div><div>To get to 128 bits we need 3072 bits. And even then that is only 128 bits against the best attack currently known. </div><div><br></div><div><br></div><div><br></div><div>"RSA really hits diminishing returns above 2048 bits."</div><div><br></div><div> If we want to get to 2^256 work factor we need to more than double the number of bits, we need 15360 bits which is ridiculous.</div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
And I'm not sure why you say 'RSA really hits diminishing returns<br>
above 2048 bits". Do you mean, using myopia, that you don't think the<br>
price/performance of 4096 bits is worthwhile? Then why didn't you say<br>
so? My RSA OpenPGP key has 3200 bits and it seems to have no<br>
difficulties in price/performance or interoperation.<br>
<span class="HOEnZb"><font color="#888888"><br>
John<br>
</font></span></blockquote></div><br></div><div class="gmail_extra">The tone of your response suggests that you need to consider the fact that if someone is saying something that appears to be stupid, you are reading it wrong rather than the other person wrote something stupid.</div><div class="gmail_extra"><br></div></div>