| Both sides previous revisionPrevious revisionNext revision | Previous revision | 
| pgpfan:2048 [2020/06/11 01:07]  – index b.walzer | pgpfan:2048 [2023/10/04 13:07] (current)  – link to new, improved article b.walzer | 
|---|
| ======2048 Bit RSA Keys====== | ======2048 Bit RSA Keys====== | 
|  |  | 
| If you generate a public/private keypair with a recent version of [[https://gnupg.org/|GPG]] you get a 2048 bit RSA key. That fact generates a surprising amount of angst. | Since the creation of this article, there is now a much more detailed discussion of these issues available: | 
|  |  | 
| Currently (2020) the largest RSA key ever actually broken was 829 bits long(([[wp>RSA_Factoring_Challenge]])). Using a random cost off the net for AWS compute capacity the cost works out to around one million USD. | [[em:20482030]] | 
|  |  | 
|  | If you generate a public/private keypair with a recent version of [[https://gnupg.org/|GnuPG]] you get a 2048 bit RSA key by default ((The versions of GnuPG that are showing up in distributions are now (2021) defaulting to 3072 bit RSA. Nothing else has changed so this article is still otherwise relevant.)). That fact generates a surprising amount of angst. | 
|  |  | 
|  | Currently (2020) the largest RSA key ever actually broken is 829 bits long(([[wp>RSA_Factoring_Challenge]])). Using a random cost off the net for AWS compute capacity the cost works out to around one million USD. | 
|  |  | 
| So how much harder would it be to break a 2048 bit RSA key? | So how much harder would it be to break a 2048 bit RSA key? | 
| RFC3766 gives a method that produces an equivalent "symmetric" key strength. [[https://www.keylength.com/en/compare/|This]]((Set to "Enter a factoring modulus size" and hit the "Compare" button)) website did the work and produced 65 bits for 829 bit RSA and 103 bits for 2048 bit RSA. That's a difference of 38 bits. Every time you add a bit to a symmetric cipher you double the brute force (guessing) effort required to break it. With 38 doublings we have an extra difficulty factor of 275 billion. So it is unlikely that anyone will be breaking 2048 bit RSA any time soon. But what about later? | RFC3766 gives a method that produces an equivalent "symmetric" key strength. [[https://www.keylength.com/en/compare/|This]]((Set to "Enter a factoring modulus size" and hit the "Compare" button)) website did the work and produced 65 bits for 829 bit RSA and 103 bits for 2048 bit RSA. That's a difference of 38 bits. Every time you add a bit to a symmetric cipher you double the brute force (guessing) effort required to break it. With 38 doublings we have an extra difficulty factor of 275 billion. So it is unlikely that anyone will be breaking 2048 bit RSA any time soon. But what about later? | 
|  |  | 
| There are organizations that produce authoritative looking lists of key sizes VS dates. The idea is that you decide how long you want your data to be secure, look up the date and choose the resulting key size. Such lists are unlikely to be better than the sort of guessing anyone could do. | There are organizations that produce authoritative looking lists of key sizes versus dates. The idea is that you decide how long you want your data to be secure, look up the date and choose the resulting key size. Such lists are unlikely to be better than the sort of guessing anyone could do. | 
|  |  | 
|  | That is particularly true now that we are coming up against the hard physical limits of the silicon based technology we use for computing. [[wp>Moore's law]] is no longer useful for predicting future computing capability. Further significant progress will require a new technology; an invention. Such an invention could come anytime between now and never. | 
|  |  | 
| That is particularly true now that we are coming up against the hard physical limits of the silicon based technology we use for computing. [[https://en.wikipedia.org/wiki/Moore's_law|Moore's law]] is no longer useful for predicting future computing capability. Further significant progress will require a new technology; an invention. Such an invention could come anytime between now and never. | Further improvements in software methods of breaking RSA will require an invention as well and the field has kind of gone cold. There have been no significant improvements in 15-20 years. A breakthrough could come any time between now and never. | 
|  |  | 
| In the same way, further improvements in software methods of breaking RSA will require an invention and the field has kind of gone cold. There have been no significant improvements in 15-10 years. A breakthrough could come anytime between now and never. | A plan based on a future invention is no more than wishful thinking. There is no reason to think that more RSA bits could help in any way that would matter. There is no reason to think that another method would somehow be better. As a result I have no rational reason to not accept the default of 2048 bit RSA as suggested by GnuPG. | 
|  |  | 
| A plan based on a future invention is no more than wishful thinking. There is no reason to think that more RSA bits could help in any way that would matter. There is no reason to think that another method would somehow be better. As a result I have no rational reason to not accept the default of 2048 RSA as suggested by GPG. | If you are worried about the possible repercussions of quantum computing there currently are no quantum resistant algorithms available in the OpenPGP standard to choose instead of RSA. Elliptic curve based methods are weaker in the face of quantum computing than RSA. There have been no actual demonstrations of the sort of operations required to break RSA on a quantum computer at even the most trivial level (([[https://arxiv.org/abs/1301.7007|Pretending to factor large numbers on a quantum computer]] referenced from [[https://crypto.stackexchange.com/questions/59795/largest-integer-factored-by-shors-algorithm|here]])). Such a computer does not exist and no one knows how to make one. So the quantum threat to RSA hinges on an invention. | 
|  |  | 
| [[pgpfan:index|PGP FAN index]] | [[pgpfan:index|PGP FAN index]] | 
|  |  | 
|  |  |