> One assertion (from Robert J. Hansen) implies that a "high school > math overview of large number theory" suggests that it may well be > reasonable to require 2400 bits of entropy to generate a 2048-bit RSA > key.
And unreasonable, too. I specifically said that I couldn't use it to argue one side or another, but rather it illuminated the uncertainty of both sides. A capsule summary is below. > The other assertion (From Peter Gutmann) says that it's not > necessary (with a sarcastic allusion to "numerology")... I concur with Peter's assessment that it's numerology. :) > 1) key generation routines for these problems need an unpredictable > source of entropy with which to search the space of possible values > to produce a proper secret key. A 2048-bit number as used in RSA has ~2028 shannons of uncertainty (due to not every number being prime). To sort through 2028 shannons of uncertainty using the general number field sieve requires approximately 2^112 work. (*Approximately*.) So I see an enormous disconnect between the uncertainty of the prime and the work factor that goes into breaking the key. We talk about how a key has so many shannons of entropy, but the reality is different: it has so much equivalent work factor. If we reduce the uncertainty of the prime to a "mere" 112 shannons, will that affect the work factor for the GNFS? I don't know, and I don't trust my sense of large number theory enough to even have a good guess. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
