2047 bit keys in PGP

[Tom Weinstein]

Ian Goldberg wrote:
> 
> Order of magnitude check:
> 
> There is a very well-defined limit to the size of key that can be
> broken by brute force, independent of your "wildest dreams" as to the
> growth of technology.  It's the Laws of Thermodynamics.
> 
> For a symmetric algorithm for which any value of the appropriate
> length n is a possibly valid (and equally likely) key, there are 2^n
> keys to try in a brute-force search.  From Applied Crypto, 2nd ed,
> pp157-158, setting or clearing one bit takes at _least_ 4.4*10^-16 erg
> of energy.  For symmetric keys of size 256, then, you would need more
> than 10^61 erg (that's 10^45 GJ) of energy just to _enumerate_ the
> states.  For comparison, this about 10 billion times larger than the
> output of a typical supernova.
> (Ibid.)

Although your point is quite valid, there is always the possibility of
some technological advance that invalidates these calculations.  It is
possible that quantum crypto will some day make brute forcing 256 bit
keys practical.  (Of course, my knowledge about quantum crypto couldn't
fill a thimble, so maybe I'm wrong.)

These results also apply only to symmetric key ciphers and have no
relation to the difficulty of breaking RSA.  The techniques for
factoring large numbers have come a long way in the recent past and it
would not be much of a surprise for them to take another large leap.

All that being said, I believe that 128 bits is sufficient for a
symmetric key and 2048 for a public key.  Our paranoia would be far
better directed at as yet unknown attacks on the algoritms involved
or the specific implementations of cryptographic systems.  Paul Kocher's
recent timing attack is a perfect example of what we should be afraid
of.

-- 
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything.  --  Washington DC motto          | tomw at netscape.com