On Fri, Oct 04, 2024 at 03:47:50AM -0400, Robert J. Hansen via Gnupg-users wrote: > > to skip PGP-2 keys in existing keyrings. And of course the PGP-2 > > encryption has not been broken - only signatures are vulnerable to the > > full MD5 hash algorithm attacks we know for 25 years. > > Given that PGP 2.6 offered "military-grade" 1k RSA keys, I think it's > dangerous to think PGP 2.6 encryption is safe. > > 1k RSA is conjectured to require resolving about 80 bits of entropy.
There is more to factoring RSA numbers than just compute ability. You need a large amount of memory (100s of Gb in the 1024 bit case) tightly coupled to a lot of processing power to do the matrix reduction phase of the number field sieve algorithm used. That's not the sort of thing that is normally available commercially, rentable on a yearly basis. Even if you just consider compute costs, you are looking at price tag in the billions of dollars range[1]. A nation state with the ability to crack 1024 bit RSA would not spend years and billions of dollars on the messages/files of a single entity. They would be able to get the information they wanted for much less. So for current OpenPGP usage, 1024 bit RSA is for all practical purposes secure. [1]https://crypto.stackexchange.com/questions/109810/how-could-a-1024-bits-rsa-modulus-be-most-economically-factored-within-months-to Bruce _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
