Re: [openpgp] Upgrading PGP Keysize from 4096 to 8000

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 19 August 2022 01:04 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09868C1524D8 for <openpgp@ietfa.amsl.com>; Thu, 18 Aug 2022 18:04:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.409
X-Spam-Level:
X-Spam-Status: No, score=-1.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtTwFCNXnAUd for <openpgp@ietfa.amsl.com>; Thu, 18 Aug 2022 18:04:16 -0700 (PDT)
Received: from mail-oa1-f53.google.com (mail-oa1-f53.google.com [209.85.160.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FCF7C1524CD for <openpgp@ietf.org>; Thu, 18 Aug 2022 18:04:16 -0700 (PDT)
Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-f2a4c51c45so3679501fac.9 for <openpgp@ietf.org>; Thu, 18 Aug 2022 18:04:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=1ZLQwaqPEyX4lXv6yVcNL9zVHhzvuKGsrNZyZiALvoI=; b=pu2D9xyduwgvbL6QzYNW6Hlb3Xd+JhUvH69qnyKkSkBs29dSfdPG4aYmajx04WM9a8 5GZ1ACf9tK0VGj8tEZcQW+nqFxdwhusbuWYPp0kbNfdgWIp9wkD9Bkd1ma/ARv3jY1r7 uRrVkM8Ixz5P1teot8CCqeFtza81JUOq7qoVh7Ap94O49U4xFPP8o3ol2Y+S9L3wM0/L SZq+97W6pEhVOU5BvvtpDpsSb4qMAN9fuSJP2esDKjFdNnP/sfCeMBI/I5XK2la2g7q0 YI5Zwq8HCaG08elRA3t4q0fYT/8qkrhHlNwjFAjMPNb+oAhjZU83yL/GZWB05E+HZBX4 3jhQ==
X-Gm-Message-State: ACgBeo1XhKvtjLbF/Kr8z9rxPJXW7TlR+2y0qqf8kZUvAz4Fyzh2JO9B FsnX6Me7bzmZlSKXDiyiYOJhk+CjBR6jioKELxs=
X-Google-Smtp-Source: AA6agR5W2vEa/VwnLEmoiY7fptrZcN4UMu/qK34XLde6bdJFJ+44/9LFQh1YI0x357JY8TZsSpUWnCVhUb4JDXJ3Jmo=
X-Received: by 2002:a05:6870:1601:b0:101:5e61:d8ee with SMTP id b1-20020a056870160100b001015e61d8eemr2608283oae.244.1660871055601; Thu, 18 Aug 2022 18:04:15 -0700 (PDT)
MIME-Version: 1.0
References: <uItahvLyOD6ao4d1fJRya5ERg96Qgr8woAwKMu06pyaUaCWRPcaYLzLFjJCORVcfGLSQ9tAYl-m0rWWJlo7K38uQ62H9MYk0QVKYpGl4XGI=@proton.me>
In-Reply-To: <uItahvLyOD6ao4d1fJRya5ERg96Qgr8woAwKMu06pyaUaCWRPcaYLzLFjJCORVcfGLSQ9tAYl-m0rWWJlo7K38uQ62H9MYk0QVKYpGl4XGI=@proton.me>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 18 Aug 2022 21:04:05 -0400
Message-ID: <CAMm+Lwhxom+Pk0tin-7ax_seQY=Dp3nKyKnBBnUdGq_XNMY+xg@mail.gmail.com>
To: ericwrightsd619@proton.me
Cc: openpgp <openpgp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004974fa05e68dad48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/o_Nt0CkEq0XZAXTjPV5b4RltV9o>
Subject: Re: [openpgp] Upgrading PGP Keysize from 4096 to 8000
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 01:04:21 -0000

On Thu, Aug 18, 2022 at 11:32 AM <ericwrightsd619=40proton.me@dmarc.ietf.org>
wrote:

> Hi, as technology gets faster we must increase our keysizes preemptively
> to ensure future-security.
>
>
> I am suggesting increasing the PGP MAXIMUM keysize to double the current
> maximum. A larger key could be twice as secure, and would only take a few
> seconds longer to encrypt a message.
>
> please increase the pgp keysizes.
>

No, switch to ECDH, it is more secure.

The problem with RSA is that the key size is subject to diminishing
returns. 1024 bits only gives you a work factor of 2^80. Doubling that
gives you only 2^110. You have to go to 3096 to get to the 2^128 bit work
factor we are comfortable with and to get 2^256 you need over 16,000 bits.

Longer key sizes are unlikely to improve quantum cryptanalysis either.
While the super-cold machines being built by IBM and Google are slowly
improving and we could reasonably hope for RSA3096 to remain safe up to a
decade after Curve25519 falls, that is unlikely to be the architecture that
wins the race. It is subject to diminishing returns and some hard limits on
keeping things cold. If there is a Quantum cryptanalysis threat, it will
come from the trapped ion machines and those can be made with regular VLSI
processes if they can be made at all. So what that means is the first
production devices are likely to have tens of thousands to millions of
qbits.


Bottom line is we should forget RSA at this point and work on use of
Threshold and PQC systems.