Seperate RSA subkeys for decryption and signing or one for both?

Nicholas Cole nicholas.cole at gmail.com
Tue Dec 4 17:07:26 CET 2012


On Tue, Dec 4, 2012 at 12:19 PM, Hubert Kario <hka at qbs.com.pl> wrote:
> On Monday 03 of December 2012 12:41:10 Hauke Laging wrote:
>> Hello,
>>
>> are there arguments for preferring either
>>
>> a) having one RSA subkey for decryption only and one for signing only
>>
>> or
>>
>> b) having only one RSA subkey for both decryption and signing?
>>
>> Do any problems arise with the smartcard if the same key shall do different
>> tasks?
>
> Keys can become "used up" so it entirely depends on how often you use it.
>
> What I mean by that, is that any signing operation leaks some information
> about the key used for signing (generally far less than few tens of a bit).
> If you have signed tens of thousands of documents with it, an attacker can
> recover substantial portion of the key and speed up the key recovery.

Do you have a reference for this? I thought the major reason to use
separate signing/encryption keys was that if a user could be persuaded
to sign a chosen encrypted text with the same key, the decryption key
would be revealed.

http://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig

I've never read before that a key could be "used up" in this way.



More information about the Gnupg-users mailing list