Lucky's 1024-bit post [was: RE: objectivity and factoring analysis]
Enzo Michelangeli
em at who.net
Tue Apr 23 20:52:32 EDT 2002
Further to Lucky's comments: in the last few days I have discussed keysize
issues with a few people on a couple of mailing lists, and I have
encountered a hostility to large keysizes of which, frankly, I don't
understand the reasons. On the client side at least, performance is not an
issue: PGP 7.0.3 with my new 4096-bit PGP key appears to be as snappy as it
was with 1024-bit keys, and the table at
http://www.mccune.cc/PGPpage2.htm#Speed looks quite reassuring.
In particular, none of the naysayers explained me clearly why it should be
reasonable to use 256-bit ciphers like AES with 1024-bit PK keypairs. Even
before Bernstein's papers it was widely accepted that bruteforcing a 256-bit
cipher requires computing power equivalent to ~16Kbit RSA or DH keys (and
~~512-bit ECC keys). Given that a cipher protects only one session, but PK
protection extends to a large number of sessions, one would expect the PK
part to be engineered to be the _stronger_ link of a cryptosystem, not the
weaker. And if the reason for the 256 bits is the possible deployment,
sometimes in the future, of quantum computers, well in that case we should
stop using PK cryptography altogether.
What am I missing?
Enzo
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list