[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Are 2048-bit pgp keys really secure ?
-----BEGIN PGP SIGNED MESSAGE-----
A 2048-bit pgp key ( n=p*q somewhere around 2^2048,
p and q somewhere around 2^1024) is only as secure as it looks
like, if both p and q are prime numbers.
In fact p and q are only pseudo prime numbers, they are not proven to
be prime numbers. It is known only that they have a high probability
to be prime numbers.
Usually a candidate number is send through a probabilistic prime test
which says either "No, not a prime" or "a prime with a probability of
at least 50% ". Usually this test is repeated 10 or 20 times, so after
passing this iteration the probability of having a prime number is at
least 1:2^10 or 1:2^20 .
Would such a test be sufficient for generating 1024-bit prime numbers?
Does it make sense to use pseudo-prime-numbers with a low probability of
1:2^10 only to generate a rsa key with a 2048 bit n ?
Now have a look at pgp2.6.2:
In genprime.c the prime numbers are generated. After testing the
candidates with a table of small primes, they are passed to
slowtest(). [Read slowtest and its comment...]
slowtest() does not do one of the usual primality tests. It just passes
the candidate through a Fermat test. Only four (4!) passes are done.
The comment of slowtest() gives a probability of 10^-44 to fail for a
number of about 512 bit. If this is true ( 10^-44 ~ 2^-146 ), about
one of 10^44 keys is weak. This shouldn't be a problem, 10^44 is quite
big.
But at the moment I can't follow the arguments, why 4 Fermat tests
should be enough to find good (pseudo-)primes. I can't see a reason
why the iteration should already be stopped after the 4th
loop. Generating a key should be worth to wait some minutes longer,
especially when this doesn't need interactive work. I am also not
convinced yet of the Fermat test. Why not use a Rabin-Miller-Test ?
I have read only a very small piece of the pgp code yet, but if I
understand the code of slowtest well (correct me if not...) the
command mp_init(x, primetable[i]) for i=0,1,2,3 sets mpi x to
the values 2,3,5,7 . If I understood this well, the slowtest() is
nothing more than testing for a given p whether
2^(p-1) = 1 mod p
3^(p-1) = 1 mod p
5^(p-1) = 1 mod p
7^(p-1) = 1 mod p
Any comments?
BTW: The comment of slowtest() references "Finding Four Million Large
Random Primes", by Ronald Rivest, in Advancess in Cryptology:
Proceedings of Crypto '91.
I have the "Advances in Cryptology - Crypto '91, Proceedings", Lecture
Notes in Computer Science, 576, Springer, here. Call me blind or
stupid, but I can't find the referenced Article. Neither the Title in
the contents, nor R. Rivest in the Author Index. Can anybody tell me
where to find the referenced Article ?
Hadmut Danisch
BTW 2: pgp2.6.2 doesn't work well if a key identified by its keyid is
keychecked ( pgp -kc 0x... ). It stops after the first signature
with a signators key shorter than the signed/checked key, because the
global precision is changed and not changed back for testing the
signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBLwBtzGc1jG5vDiNxAQHi6wP/WS3afYhQ0ijJZfWbByjtvPrCZtCfDs1M
1p8Paqx0ZIIgCE2G6tY8JTlZ6tn5nEY4/qGHS3Q3TrO77HVheKq2bHMajGzSA3At
CoX65ycg2Pn30q7PeLY89vtNosW568CqnmpPAmusD+o9CFO6RpFFZxIb5pgY5brF
8ll/F1ztdmM=
=JZS6
-----END PGP SIGNATURE-----