Further to Lucky's comments: in the last few days I have discussed keysize issues with a few people on a couple of mailing lists, and I have encountered a hostility to large keysizes of which, frankly, I don't understand the reasons. On the client side at least, performance is not an issue: PGP 7.0.3 with my new 4096-bit PGP key appears to be as snappy as it was with 1024-bit keys, and the table at http://www.mccune.cc/PGPpage2.htm#Speed looks quite reassuring.
In particular, none of the naysayers explained me clearly why it should be reasonable to use 256-bit ciphers like AES with 1024-bit PK keypairs. Even before Bernstein's papers it was widely accepted that bruteforcing a 256-bit cipher requires computing power equivalent to ~16Kbit RSA or DH keys (and ~~512-bit ECC keys). Given that a cipher protects only one session, but PK protection extends to a large number of sessions, one would expect the PK part to be engineered to be the _stronger_ link of a cryptosystem, not the weaker. And if the reason for the 256 bits is the possible deployment, sometimes in the future, of quantum computers, well in that case we should stop using PK cryptography altogether. What am I missing? Enzo --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]