1994-07-14 - Re: Source Code

Header Data

From: aba@dcs.exeter.ac.uk
To: trollins@debbie.telos.com
Message Hash: b90737ac7200f60a7b306071900456405670bab48a93da41d4029632b1491c91
Message ID: <11761.9407141359@sirius.dcs.exeter.ac.uk>
Reply To: N/A
UTC Datetime: 1994-07-14 14:03:04 UTC
Raw Date: Thu, 14 Jul 94 07:03:04 PDT

Raw message

From: aba@dcs.exeter.ac.uk
Date: Thu, 14 Jul 94 07:03:04 PDT
To: trollins@debbie.telos.com
Subject: Re: Source Code
Message-ID: <11761.9407141359@sirius.dcs.exeter.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain


I have myself speculatively created a PGP with 4096 bit keys, but not
distributed it, I just wanted to investigate the speeds of RSA
operations on 4096 bit keys.  I personally think that it is time for
PGP to move on to larger keys, the arbitrary limit of 1024 or 1264 or
whatever seems restrictive.  You should be able to use as much
security as you need without having to resort to hacked versions.

I have heard the figure of 3000 bits RSA being as hard to break as 128
bit IDEA, however I understand that IDEA is a relatively new algorithm
and has not seen nearly as much exposure to analysis as DES.  For this
reason I think that the proposed 3DEA code is probably in line with
going to 4096 bit keys.

If you were one of the people using DES under the impression that it
was good for many years you should be worried now as the cost of
breaking DES has been estimated at $1m.  No doubt in 10 years time
this figure will be achievable for much less cost.  How would you feel
when it gets to the stage that your messages could be cracked
overnight on a bit of spare workstation time?

For this reason I think that the next version of PGP should have the
ability to specify n IDEA rounds, and arbitrary RSA key sizes.  That
should get the problem overwith once and for all.  The attitude that
1024 bits should be good for the hundreds of years seems nieve and
similar to IBMs 640k limit on DOS at the time 640k no doubt seemed
like a *huge* ammount of memory, I'm now typing in a text editor which
has a binary of 1.8Mb, on a m/c with 80Mb main memory.

One more thing, I think that it should be developed *outside* of the
US, at least until that ITAR thing gets thrown out.

The argument that it would take a googol years to break PGP with
current hardware doesnt hold either as RSA is not proven to be
equivalent to factoring, and better factoring algorithms are
presumably still possible.

However for the people in the US there are still problems with sorting
out a license from PKP which allows unlimited key lengths, and for
these reasons it may be worth waiting to see if this can be achieved.

Adam






Thread