On Tue 2015-06-02 14:26:39 -0400, Robert J. Hansen wrote: >> Even worse, there are standard attacks that find _at least one_ of >> the keys using just 2^78 easy computations, a feasible computation >> today. > > So there's a 10**-88 chance that one of my keys can be broken in 10**53 > computations? Sign me up.
To be clear, it's not "one of my keys" in the asymmetric key sense, where you, rjh, have only a handful over your lifetime. Every time you send an encrypted message, GnuPG generates a new AES key to encrypt that message with. So "one of my messages' keys" is more accurate. And (sorry Rob) i don't care only about your keys (or your messages' keys). I care about all the messages ever generated by GnuPG. If an attacker can do 2^78 computations, I'd prefer it if they couldn't break even one of the messages ever created by GnuPG. I don't get to decide which of our users to throw under the bus in that case. But if we move to AES-256, we remove this attack, which means that none of our users get thrown under this particular bus. Given that these calculations are not a bottleneck for users, we should move them all to the stronger cipher by default. [ note that the argument here is now heading toward "what should the default cipher be?", though i started with "what should the default s2k cipher mode be?" -- I still want to focus on the s2k mode question, because it protects secret key material, and i think that's higher priority and an even more-obvious win; i'm happy to broaden the discussion as long as it doesn't distract from the s2k-cipher-mode question ] > I have a lot of respect for djb, but on this one he's just way off in > left field. I don't think so. He is thinking about the whole field, though, rather than thinking about "what are the chances that a baseball will happen to land right where i'm standing right now?" I also care about the whole field. Regards, --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users