Disguising the Key length (Was...Has a change taken place in factoring RSA keys)

Bill Stewart bill.stewart at pobox.com
Sat Nov 29 19:18:26 PST 2003

At 02:09 PM 11/10/2003 -0500, Tyler Durden wrote:
>"I think that's the source as well - when the most recent of the
>TWINKLE and TWIRL papers came out, Lucky Green was talking about
>whether it was still safe to use 1024-bit keys,
>and $1B for 1 key/day is similar to Shamir & Tromer's estimate of
>            ( http://www.wisdom.weizmann.ac.il/~tromer/papers/cbtwirl.pdf )
>$20M upfront plus $10M for a 1 key/year capacity."
>My first question is, how easy is it for them to estimate the key size of 
>an encrypted message?
>Can they do this without actually "chewing" on the message for a while? 
>(ie, if it doesn't crack in x minutes then there's a 99% probability of 
>the key being Y in length...)
>Second question: Is it possible to make a message appear to have been 
>encrypted with a shorter key than was actually used?

The answer to both those questions is
extremely dependent on the message formats
(plus whether the public keys are published :-)
PGP's formats may be ugly bit-twiddly stuff,
but they're also highly visible unless you're using the
add-on stealth packages.  Most of the other formats
for expressing bignum data also tell you how big the numbers are
(or use a fixed-length key.)  Some signature algorithms
produce output that's shorter than the public key
(such as 160-bit signatures), but if you can find the
public key you can obviously tell.

But for the second question, why bother?  Use adequately long keys.

More information about the cypherpunks-legacy mailing list