Disguising the Key length (Was...Has a change taken place in factoring RSA keys)
Bill Stewart
bill.stewart at pobox.com
Sat Nov 29 19:18:26 PST 2003
At 02:09 PM 11/10/2003 -0500, Tyler Durden wrote:
>"I think that's the source as well - when the most recent of the
>TWINKLE and TWIRL papers came out, Lucky Green was talking about
>whether it was still safe to use 1024-bit keys,
>and $1B for 1 key/day is similar to Shamir & Tromer's estimate of
> ( http://www.wisdom.weizmann.ac.il/~tromer/papers/cbtwirl.pdf )
>$20M upfront plus $10M for a 1 key/year capacity."
>
>My first question is, how easy is it for them to estimate the key size of
>an encrypted message?
>
>Can they do this without actually "chewing" on the message for a while?
>(ie, if it doesn't crack in x minutes then there's a 99% probability of
>the key being Y in length...)
>
>Second question: Is it possible to make a message appear to have been
>encrypted with a shorter key than was actually used?
The answer to both those questions is
extremely dependent on the message formats
(plus whether the public keys are published :-)
PGP's formats may be ugly bit-twiddly stuff,
but they're also highly visible unless you're using the
add-on stealth packages. Most of the other formats
for expressing bignum data also tell you how big the numbers are
(or use a fixed-length key.) Some signature algorithms
produce output that's shorter than the public key
(such as 160-bit signatures), but if you can find the
public key you can obviously tell.
But for the second question, why bother? Use adequately long keys.
More information about the Testlist
mailing list