Re: 4096 bit keys
On Wed, 23 Mar 2011 03:33, jpcli...@tx.rr.com said: Could be in OpenPGP later this year. Camellia was fairly fast. It is not required to be in in OpenPGP (technically a new RFC to extend rfc4880). We have always added new features to OpenPGP before we had an RFC for it. It is basically, that the WG agrees upon it and we have two compatible implementations. This was the case for AES, MDC, the new secret key protection mechanism and now for ECC. 2) The ECC-OpenPGP draft itself. Andrey Jivsov, the author, is with Symantec Corp (read PGP Corp). https://sites.google.com/site/brainhub/draft-jivsov-openpgp-ecc-07.txt He wrote this draft while he worked at PGP. He also contributed the ECC code for GnuPG. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On Tuesday 22 March 2011, Robert J. Hansen wrote: On 3/22/11 5:50 PM, Jerome Baum wrote: Actually none of this is that important. If you can do the division in half a second instead of one, that only halves the time you need. All I have to do is add one bit to my key size and you're back to square one. You have to add one bit to your *effective* key size. Remember, the primes are not evenly distributed: the larger you go, the more they are spread out. This is why for very small keys each additional bit gives you quite a lot of security, but as keys grow very large more and more bits have to be added to get that additional boost. As an example, there are 25 primes under 100: of all the possible values, you have to check 25% of them. But there are only 78,498 primes under one million: you only have to check 7.9% of those numbers. Well, that's only true if you have previously enumerated all primes which is impossible for the bit sizes we are speaking about. So, effectively, the scarcity of primes does not give the attacker any advantage. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
re: 4096 bit keys
Jerome Baum jerome at jeromebaum.com wrote on Tue Mar 22 23:28:31 CET 2011 : They go up with O(log(n)) where n is the number, or something like it, right? The Prime Number Theorem: Pi(x) ~ x/ln(x) (Pi(x) refers to the number of primes up to and including the integer x ~ means approximately. Formally, the proof is for Lim x--infinity Pi(x)/[x/ln(x)] = 1 There is an interesting related Prime Number theorem that might help you eliminate which intervals of numbers need to be factored: For any positive integer n, there exists an integer a, such that the n consecutive integers: [ a, a+1, a+2, ..., a+(n-1)] are all composite. a = (n+1)! + 2 (For anyone interested, the proof is in a free and easily readable, downloadable text on Elementary Number Theory by W. Edwin Clark http://shell.cas.usf.edu/~wclark/ ) Now, while there is no simple formula that can generate all primes, it is very simple to generate factorials for all n up to the point where n! is less than the square root of 2^4096. So, in your spare time, ;-) you can eliminate a large amount of intervals where factoring is unnessary. (But even after all that, you may find that a 4096 bit key is still pretty much unfactorable for the not-too-near future. ;-) ) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On Wednesday 23 March 2011, ved...@nym.hush.com wrote: Jerome Baum jerome at jeromebaum.com wrote on Tue Mar 22 23:28:31 CET 2011 : They go up with O(log(n)) where n is the number, or something like it, right? The Prime Number Theorem: Pi(x) ~ x/ln(x) (Pi(x) refers to the number of primes up to and including the integer x ~ means approximately. Formally, the proof is for Lim x--infinity Pi(x)/[x/ln(x)] = 1 There is an interesting related Prime Number theorem that might help you eliminate which intervals of numbers need to be factored: For any positive integer n, there exists an integer a, such that the n consecutive integers: [ a, a+1, a+2, ..., a+(n-1)] are all composite. a = (n+1)! + 2 (For anyone interested, the proof is in a free and easily readable, downloadable text on Elementary Number Theory by W. Edwin Clark http://shell.cas.usf.edu/~wclark/ ) Now, while there is no simple formula that can generate all primes, it is very simple to generate factorials for all n up to the point where n! is less than the square root of 2^4096. So, in your spare time, ;-) you can eliminate a large amount of intervals where factoring is unnessary. Pretty much exactly 300 since 300! 2^2048 301!. So, out of 2^2048 candidates you eliminate 1+2+...+300 = 300*301/2 = 45150 candidates which lie in those intervals. Impressive! Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
Ingo Klöcker kloecker at kde.org wrote on Wed Mar 23 22:39:05 CET 2011 : So, out of 2^2048 candidates you eliminate 1+2+...+300 = 300*301/2 = 45150 candidates which lie in those intervals. Impressive! lol! like I said, 4096 bit keys will remain secure for the not-too-near future vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
Mike Acker mike_ac...@charter.net writes: with chip makers playing with chips having 64 cores printed in silicon... someplace i read the ratios on this,-- if you make the key a little longer the key gets much harder to break. in public key encryption though you have to factor the product of the two large prime numbers -- which i'm told is no easy task. i've often wondered about this as lists of large prime numbers are not hard to come by... so-- start someplace and start running divides... trouble is though you can't use the hardware instruction set: the numbers are way to large what does an x64 chip do? divide a 64 bit integer into a 128 bit dividend to yield a 64 but quotient and a 64 bit remainder? dunno but you have to do the same thing but using what? a 2048 or 4096 bit dividend? Actually none of this is that important. If you can do the division in half a second instead of one, that only halves the time you need. All I have to do is add one bit to my key size and you're back to square one. The problem is the number of divisions you have to perform O(2^n) for RSA-n. Actually it's a lot less, O(2^(n/2)) for the simple fact that you have to divide only up to the square root, as one factor must be smaller than that. But the kind of magnitude is still the same and it grows pretty fast with key size. what if they put 8192 cores on a chip? who would have such a machine? NSA. the smart money would bet they would have it It's not so much about the number of cores. If you have two cores, that doesn't account for double the length in the key. The scale is linear (double the computing power, half the time required to crack), while the key length scale is exponential (double the length, square the size/difficulty). -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgp5u14c3z374.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
I really wish 8192 would become available. Not that it would be the end all/be all of key security but according to your theory it sounds much more difficult to crack. On 22/03/2011 05:14 PM, Mike Acker wrote: with chip makers playing with chips having 64 cores printed in silicon... someplace i read the ratios on this,-- if you make the key a little longer the key gets much harder to break. in public key encryption though you have to factor the product of the two large prime numbers -- which i'm told is no easy task. i've often wondered about this as lists of large prime numbers are not hard to come by... so-- start someplace and start running divides... trouble is though you can't use the hardware instruction set: the numbers are way to large what does an x64 chip do? divide a 64 bit integer into a 128 bit dividend to yield a 64 but quotient and a 64 bit remainder? dunno but you have to do the same thing but using what? a 2048 or 4096 bit dividend? (I'm not a mathematician) what if they put 8192 cores on a chip? who would have such a machine? NSA. the smart money would bet they would have it ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
Jonathan Ely thaj...@gmail.com writes: I really wish 8192 would become available. Not that it would be the end all/be all of key security but according to your theory it sounds much more difficult to crack. Take that a few steps further. Why not use 999-bit keys? Because they are much more difficult to compute. In fact if you go above a certain key size, since IIRC the exponent e is standardized and thus limited, your discrete logarithm is no longer discrete and so your key security just vanishes. In any case, 4096 bits will be secure for some time to come, and yes 8192 bits would be even more secure. We can take that as far as we wish but there are limits in the standard, in compatibility, and in the current implementation. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgplvvBer6yn7.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On 3/22/11 5:50 PM, Jerome Baum wrote: Actually none of this is that important. If you can do the division in half a second instead of one, that only halves the time you need. All I have to do is add one bit to my key size and you're back to square one. You have to add one bit to your *effective* key size. Remember, the primes are not evenly distributed: the larger you go, the more they are spread out. This is why for very small keys each additional bit gives you quite a lot of security, but as keys grow very large more and more bits have to be added to get that additional boost. As an example, there are 25 primes under 100: of all the possible values, you have to check 25% of them. But there are only 78,498 primes under one million: you only have to check 7.9% of those numbers. The problem is the number of divisions you have to perform O(2^n) for RSA-n. Actually it's a lot less, O(2^(n/2)) for the simple fact that you have to divide only up to the square root, as one factor must be smaller than that. But the kind of magnitude is still the same and it grows pretty fast with key size. You might want to look into the General Number Field Sieve (GNFS), which is a much more efficient way of breaking RSA keys than by simple trial division. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
Robert J. Hansen r...@sixdemonbag.org writes: You have to add one bit to your *effective* key size. Remember, the primes are not evenly distributed: the larger you go, the more they are spread out. This is why for very small keys each additional bit gives you quite a lot of security, but as keys grow very large more and more bits have to be added to get that additional boost. As an example, there are 25 primes under 100: of all the possible values, you have to check 25% of them. But there are only 78,498 primes under one million: you only have to check 7.9% of those numbers. Yeah, sorry. They go up with O(log(n)) where n is the number, or something like it, right? In any case the point remains -- I have to add a few bits while you have to figure out a whole new means of division that is much faster. The problem is the number of divisions you have to perform O(2^n) for RSA-n. Actually it's a lot less, O(2^(n/2)) for the simple fact that you have to divide only up to the square root, as one factor must be smaller than that. But the kind of magnitude is still the same and it grows pretty fast with key size. You might want to look into the General Number Field Sieve (GNFS), which is a much more efficient way of breaking RSA keys than by simple trial division. That's why I said actually it's a lot less, ... for the simple fact that ... -- my point remains, the kind of magnitude is still the same and it grows pretty fast with key size. GNFS is also exponential in some multiple of the key size, at least IIRC. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpgEvWb8ZSiD.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On 3/22/2011 6:53 PM, Grant Olson wrote: The actual cutting edge solution is to move from RSA to ECC. Even a 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP SECRET materials, but ECC-521 is. Do you have a cite for that? I know ECC is approved, but I've never been able to find confirmation one way or another that ECC is the *only* publicly-acknowledged asymmetric algorithm approved for TS. Any heads-up you could give would be appreciated. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On 03/22/2011 06:06 PM, Jonathan Ely wrote: I really wish 8192 would become available. Not that it would be the end all/be all of key security but according to your theory it sounds much more difficult to crack. The actual cutting edge solution is to move from RSA to ECC. Even a 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP SECRET materials, but ECC-521 is. ECC actually is up-and-running in the beta for gpg 2.1, but realistically it'll be (at least) a few years before it gets mainstream adoption. -- -Grant Look around! Can you construct some sort of rudimentary lathe? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
What is ECC? Now I want that haha. On 22/03/2011 06:53 PM, Grant Olson wrote: On 03/22/2011 06:06 PM, Jonathan Ely wrote: I really wish 8192 would become available. Not that it would be the end all/be all of key security but according to your theory it sounds much more difficult to crack. The actual cutting edge solution is to move from RSA to ECC. Even a 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP SECRET materials, but ECC-521 is. ECC actually is up-and-running in the beta for gpg 2.1, but realistically it'll be (at least) a few years before it gets mainstream adoption. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
Grant Olson k...@grant-olson.net writes: On 03/22/2011 06:06 PM, Jonathan Ely wrote: I really wish 8192 would become available. Not that it would be the end all/be all of key security but according to your theory it sounds much more difficult to crack. The actual cutting edge solution is to move from RSA to ECC. Even a 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP SECRET materials, but ECC-521 is. Isn't ECDSA really vulnerable to reused and predictable signature seeds (don't know what they're called, I'm talking about k)? ECC actually is up-and-running in the beta for gpg 2.1, but realistically it'll be (at least) a few years before it gets mainstream adoption. You loose any interoperability as it's not OpenPGP, right? It certainly isn't in the commercial PGP. OT but does anyone know how I can make PGP stop trying to access my (not plugged-in) smart-card reader? I have one of those DATEV smart cards and PGP seems to think hey! I see there may or may not possible be something available or temporarily unavailable or not available at all on this system that we like to refer to as 'smart card', and it may or may not be convenient for my user to use that thing that we like to refer to as 'smart card'. Instead of bothering my user with questions about this so-called 'smart card' and whether I should use it, I'll just call the API. In fact, because my user might accidentally click 'don't use smart card (i.e. cancel)', I'll run that API call 5 times -- just to be sure. -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpdlcSVAT5T6.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On 3/22/2011 7:44 PM, Jerome Baum wrote: Isn't ECDSA really vulnerable to reused and predictable signature seeds (don't know what they're called, I'm talking about k)? No moreso than many other algorithms. If the algorithm says this value must be random and you don't use a random value, then yes, you're going to have a very bad day. You loose any interoperability as it's not OpenPGP, right? ECC is being introduced into the OpenPGP standard. Pretty much everyone in the working group wants it to be added: they just want to make sure it gets added in the right way. I'll eat my own hat if PGP Corporation doesn't already have an internal testing branch that supports ECC. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On 03/22/2011 07:29 PM, Robert J. Hansen wrote: On 3/22/2011 6:53 PM, Grant Olson wrote: The actual cutting edge solution is to move from RSA to ECC. Even a 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP SECRET materials, but ECC-521 is. Do you have a cite for that? I know ECC is approved, but I've never been able to find confirmation one way or another that ECC is the *only* publicly-acknowledged asymmetric algorithm approved for TS. Any heads-up you could give would be appreciated. I suppose in the sense I can't prove a negative, I don't have a cite. There could be another recommendation out there, but I was going off of NSA Suite B. (Link and text follow.) It says that RSA 2048 bit keys can be used while transitioning to ECC, but for SECRET level only. It also says ECC-384 is good enough for TOP SECRET. I just mis-remembered that as ECC-521. http://www.nsa.gov/ia/programs/suiteb_cryptography/ AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level. AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options. -- -Grant Look around! Can you construct some sort of rudimentary lathe? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On 03/22/2011 07:32 PM, Jonathan Ely wrote: What is ECC? Now I want that haha. Elliptic Curve Cryptography https://secure.wikimedia.org/wikipedia/en/wiki/Elliptic_curve_cryptography Since it isn't based on prime numbers, it 'scales' better than RSA or DSA, and keys of similar security levels are much smaller. -- -Grant Look around! Can you construct some sort of rudimentary lathe? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On 03/22/2011 07:44 PM, Jerome Baum wrote: Grant Olson k...@grant-olson.net writes: ECC actually is up-and-running in the beta for gpg 2.1, but realistically it'll be (at least) a few years before it gets mainstream adoption. You loose any interoperability as it's not OpenPGP, right? It certainly isn't in the commercial PGP. That's why I said but realistically it'll be (at least) a few years before it gets mainstream adoption. ;-) Even if the draft standard got approved today, and both gpg and pgp corp had working production implementations, it'll be years before it gets to the point where you can assume random users will be able to support ECC. But if you just wanted to use it with your inner circle, be it an eco-terrorist cell or a fantasy football league, you actually could start using it today. -- -Grant Look around! Can you construct some sort of rudimentary lathe? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
Grant Olson k...@grant-olson.net writes: On 03/22/2011 07:44 PM, Jerome Baum wrote: Grant Olson k...@grant-olson.net writes: ECC actually is up-and-running in the beta for gpg 2.1, but realistically it'll be (at least) a few years before it gets mainstream adoption. You loose any interoperability as it's not OpenPGP, right? It certainly isn't in the commercial PGP. That's why I said but realistically it'll be (at least) a few years before it gets mainstream adoption. ;-) Right, and everything you wrote below. I was just re-enforcing the strong suggestion that people not use it. Thing about some innocent average Joe (while I put big trust in Alice and Bob, I am not too confident in Joe) reading the archives, fetching the gpg beta (where necessary switching on expert mode) in an attempt to use ECC because it sounds cool to use. Might be that my level of confidence in Joe is a bit screwed, but then, pink elephants! -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA pgpA0Rubc4MjO.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/22/2011 06:32 PM, Jonathan Ely wrote: What is ECC? Now I want that haha. Elliptic curve cryptography http://en.wikipedia.org/wiki/Elliptic_curve_cryptography -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJNiTL8AAoJEPXCUD/44PWqF5EQAL+WCIFd0ylULGW9LacvRS84 5tXtYQxShj2onusspDfMQdiFJoUYAA1MIVrFe1S8IXBOG4PSnNkZuos9arPgPFz4 Vt2epmtd0fF1hcbi7kfJrftyMW4F4j0HO+XWgM6l2EKxWYHzDKnxO7aDzwddpcyc 9VWXz0B8eMJWhfcQjW7K9XZJJrCuijzXcejD3ObXbOcTjIhBrcl30xKtyPt4aJPt ekuMl7rgM0lMP2uXXHzGgOaU4c21f0kAOlcfF8VQ9uorZEK8ngRovyyoNwYcGKw8 VqrW5WGgZb1so8hGMgaK6/nRcsEDW5HFWX4lNV5md46oddldMuKbh64Bvc0OBFC+ 0zT/pSb60DhTuomDKj7M15Z2ezVWA1179zwFAcpi0M/2xMSmx/PiuD7y/mdNggka bo72eyh9kttNwuX6+8QIi6wVn0CgEoY5lXUGUjaDkwlzswqnn3PCZN1dYVZRVSWW NIPOgGG0N2cuH4pwCQQ9I17sD+xLHbDV11ddphe3ect95LP2/Ope5fDOvNeMS2KF E8U1m4ON40PW3jIYg72OhoRSHHQzp9JVFjRCczDtMmMsJPk5YD2Njg+4RaUkjSw1 NKZbpa0UJD0gwB3zyWI+goxwICWsrD6LveqlZBtg1F48/qx6NTcb0HIou29dYBSs lu74QTku+2rNvYWnZi0j =hTLX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
On Tue, Mar 22, 2011 at 5:14 PM, Mike Acker mike_ac...@charter.net wrote: with chip makers playing with chips having 64 cores printed in silicon... someplace i read the ratios on this,-- if you make the key a little longer the key gets much harder to break. in public key encryption though you have to factor the product of the two large prime numbers -- which i'm told is no easy task. i've often wondered about this as lists of large prime numbers are not hard to come by... so-- start someplace and start running divides... trouble is though you can't use the hardware instruction set: the numbers are way to large what does an x64 chip do? divide a 64 bit integer into a 128 bit dividend to yield a 64 but quotient and a 64 bit remainder? dunno but you have to do the same thing but using what? a 2048 or 4096 bit dividend? (I'm not a mathematician) what if they put 8192 cores on a chip? who would have such a machine? NSA. the smart money would bet they would have it -- /MIKE So, AMD sells Opterons with 12 cores in a single CPU. It has a street price of $770. In 2007, the TILE64 was released (a CPU with 64 cores, but not x86-compatible). It's a safe assumption that the NSA *could* have a NUMA supercomputer or a cluster with 8000+ cores TODAY, but even with those resources, it's unlikely they could get your key, or would invest the time to do so. RSA-768 (a 768-bit modulus) was factored in December 2009, in a process that took hundreds of computers two years to complete. [1] The authors of [1] estimate that a 1024-bit RSA modulus would be 1000 times as difficult to factor, but would be achievable in a fashion similar to theirs within a decade. That being said, I believe (but have no solid numbers to back) that 2048 is probably about 1,000,000 TIMES as difficult to factor as RSA-1024. (I base this on a 1000 time number from 768 to 1024, and the decreasing incidence of prime numbers as we get larger values.) The reality is, for the NSA to even invest the computing time that was involved in the RSA-768 effort, you'd have to have done (or they would need to believe that you have done or will do) something REALLY BIG. Probably on the order of importing CBRN-type weaponry into the US. And if they believe you're that bad, they will find a way to get at your key (or rather, your plaintexts). The ability to casually decrypt even 1024-bit keys is nowhere near. (And by casually, I mean a difficulty similarly to what it takes to wiretap a phone.) [1] http://eprint.iacr.org/2010/006 -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 4096 bit keys
Jerome Baum wrote: Grant Olson k...@grant-olson.net writes: On 03/22/2011 06:06 PM, Jonathan Ely wrote: I really wish 8192 would become available. Not that it would be the end all/be all of key security but according to your theory it sounds much more difficult to crack. The actual cutting edge solution is to move from RSA to ECC. Even a 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP SECRET materials, but ECC-521 is. Isn't ECDSA really vulnerable to reused and predictable signature seeds (don't know what they're called, I'm talking about k)? Depends more on the quality of your PRNG. ECC actually is up-and-running in the beta for gpg 2.1, but realistically it'll be (at least) a few years before it gets mainstream adoption. Could be in OpenPGP later this year. Camellia was fairly fast. As I recall, there is some coordination among the OpenPGP ECC author and the maintainers of other FOSS crypto software so they implement things in a compatible manner. I believe they may be waiting for a SHA-3 algorithm to be picked. It was discussed on the IETF-OpenPGP list late last year. You loose any interoperability as it's not OpenPGP, right? It certainly isn't in the commercial PGP. It certainly isn't in the commercial PGP. Not Yet, although as Rob said, I'd be surprised if PGP (symantec) didn't already have an ECC-enabled branch waiting to release once the ECC OpenPGP Draft is adopted. Two reasons: 1) One of the main initiatives of Suite B is the use of COTS, and the USG represents a VERY large market for PGP. 2) The ECC-OpenPGP draft itself. Andrey Jivsov, the author, is with Symantec Corp (read PGP Corp). https://sites.google.com/site/brainhub/draft-jivsov-openpgp-ecc-07.txt -- John P. Clizbe Inet: John (a) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
