> AFAIK RSA-3072 (and ElGamal-3072) are comparable to AES-128. No: they're comparable to AES-128 *at our present level of mathematical knowledge*. That's a very important qualifier.
Back in the mid-to-late '80s, Ron Rivest declared that 1024-bit RSA keys would be unbreakable for at least the next century. The initial releases of PGP 2.6 offered 512-bit, 768-bit, and 1024-bit keys, and people recommended against using 1024-bit keys the same way we recommend against 16384-bit keys today. And, at the time these predictions were made, there was every reason to think they were accurate. They just all made the same error, which was thinking the quadratic field sieve couldn't be improved upon. That was a conjecture. It turned out to be false. When the general number field sieve was invented, almost immediately afterwards factoring records began to fall. Today, 512- and 768-bit keys are considered grossly inadequate, and a 1024-bit key is on the razor's edge of adequacy. I don't know when the next mathematical revolution (something like the general number field sieve) will come along. But when it does, it's going to really upend the apple cart and our RSA-3072 keys aren't going to be equivalent to AES-128 any more. > That's strong enough for the forseable future; the only known thing > they are vyulnerable to (except for rubber-hose cryptography, > keyloggers and other "cheats") is a working quantum computer. No, they're vulnerable to some graduate student slurping up a bowl of ramen who looks at something on the blackboard and says, "hey, that's weird." It's happened before: look into George Dantzig. Dan Boneh has already published an awe-inspiring paper showing that RSA isn't anywhere near as safe as we think it is: http://crypto.stanford.edu/~dabo/abstracts/no_rsa_red.html Breaking RSA is not equivalent to factoring; it's possible to break RSA without needing to factor large numbers. We just don't know how and we've made precisely zero headway on that question. But you never know when a George Dantzig will appear. And that means I think your long-term confidence in RSA is misplaced. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
