Question about key size (Was: [ale] ALE PGP Keysigning PartyInstructions)

Tue Jan 14 18:42:39 EST 2003

On Tue, 14 Jan 2003, Jason Day wrote:

> On Tue, Jan 14, 2003 at 09:04:27AM -0700, Chris Ricker wrote:
> > Do you encrypt anything with that 1024-bit key that's worth $1 billion to 
> > someone to crack? If not, don't worry about it yet.
> 
> Well no, but that's not the point.  If 1024-bit keys can in fact be
> brute-forced with $1B, then it's safe to assume that the US government,
> at the very least, can read any message encrypted with a 1024-bit key.

No, it *is* the point. Encryption's a pain. Keys are a pain. The longer they
are, the more painful they are. Going over 2048 bits isn't supported by many
common clients that end users use. Longer keys are markedly slower (doesn't
matter to you on your desktop, but it does matter to me when I do email on
my Zaurus). etc.

djb's machine is estimated to cost $100 million to $1 billion to build,
requires megawatts of power per key crunched, takes some amount of time to
process each key, etc. In other words, it's not free, but its certainly not
out of the reach of, say, the NSA's budget and in-house custom fab
facilities to crack *some* 1024-bit keys.  At the same time, it is still out
of the NSA's reach to crack *all* 1024-bit keys in circulation.

Your protection is two-fold:

1. you don't encrypt something that's worth, say $1 million to decrypt 
(amortizing $1 billion across 1000 compromises), so you're not specifically 
targeted
2. enough people use crypto that the NSA can't possibly process all 
encrypted traffic

#1 you determine.

#2 is the fax machine syndrome. Encryption's one of those things that
becomes more useful when more people adopt it, because your specific
encryption gets lost in the sea of everyone else's encryption. For that to
be true, you have to keep the cost of entry low enough that people adopt it,
which means you have to keep the key sizes small enough that they will work
with people's software and hardware....

> I'm not bringing this up because I have something to hide, but because I
> see little point in encrypting anything if it can be broken at will by
> anyone with enough money.

But that's always the case. Encryption will *never* protect you against
someone with enough money. So it's not cost-feasible to crack your 4096-bit
key today? Fine. I save your traffic, then wait 10 years, or 20 years, or 50
years (there's plenty of traffic which will still have financial value if
decoded 50 years from now. Think about, say, an email containing a trade
secret like the formula of Coke). Moore's Law will have made it affordable
for me to crack it then....

You can never get absolute protection, at least w/ current methods. You can
only get "good enough"  protection. And for most people and most data today,
1024 bits is still "good enough".

> a larger key are.  Since no one has signed my key yet, but I'm planning
> to attend the keysigning party, *now* is the time to worry about it.

So go ahead and do 2048-bit if you want, since you don't have any keys in
circulation already. There's no need to go crazy and do 4096 bits though.  
The inconvenience you'll cause offset the gains.

later,
chris
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale