0

It has for many years been popular to use RSA keys that have lengths that are powers of two. E.g. 1024-bit, 2048-bit and 4096-bit key lengths are all popular for use with OpenPGP implementations such as GnuPG, and with OpenSSH, etc, and these key lengths are often either defaults in the software generating the keys, or are recommended by organisations whose participants are required to generate keys (e.g. Debian).

I have heard it said that, because cryptanalysts in practice will have devoted more resources towards breaking keys with popular lengths, and because popular lengths are powers of two, choosing a key length that is not a power of two would provide a practical security advantage, even if this means choosing a slightly shorter key length than one would otherwise desire (e.g. 4093-bit key instead of 4096-bit).

Is there any sense in that saying? Put another way, what (if any) are the reasons for which a cryptanalytic attack that would succeed against a 4096-bit key would fail or take significantly longer against a shorter key whose length is not a power of two?

  • 1
    AFAIK, the best methods for breaking RSA have no limitation to working with power-of-two key sizes. They work equally well on other key sizes. For some of the reasons to use powers of two, check out this other question: http://crypto.stackexchange.com/questions/7849/why-are-rsa-key-sizes-almost-always-a-power-of-two – mikeazo Mar 17 '15 at 14:04
  • The other question covers the topic nicely already. This is like asking "Why is the data type int in most common programming languages 32 bits?" – tylo Mar 17 '15 at 14:35
  • Your paragraph 2 is the precise opposite of how security works. The general rule of thumb is that having more cryptographers looking at something is a strength of that thing; it means that a break is more likely to be found by someone who will publish it and tell everyone instead of someone who will hide it use it to steal your information. The only way to have confidence that something is secure is to have a lot of competent people analyze it and have none of them find an attack. – cpast Mar 17 '15 at 15:41
  • @Gilles, oddly, the answer you posted to q7849 implies a reason why the saying in my question above might be true: specifically, that non-2^n key sizes would require the attacker to produce a more comprehensive and better-tested attack implementation than would otherwise be the case. This implication isn't explicitly discussed in any of the answers to q7849. As such, I don't think my question as it stands is, so far, either a duplicate or already answered. Still, I'm grateful to the commenters :) –  Mar 17 '15 at 16:03
  • Closed it, but for more information, see how the RSA factoring challenge doesn't keep to powers of two at all. So answer is "no". – Maarten Bodewes Mar 17 '15 at 17:21
  • @MaartenBodewes, fair enough. Thanks for the link. –  Mar 17 '15 at 18:36
  • @sampablokuper The cost for the attacker of a bug in the attacker's crypto library is negligible. The situation is not at all symmetric. Increasing the test coverage requirement costs the defender a lot more than it costs the attacker. That contributes to proving the saying false. – Gilles 'SO- stop being evil' Mar 17 '15 at 21:16

0 Answers0