1024 key with 2048 subkey: how affected?

[Robert J. Hansen]

On 1/23/12 4:08 PM, John Clizbe wrote:
> Depending on the source, a consensus seems to be forming that beyond
> a 2048 or 3072 bit modulus for DSA2 or RSA, folks need to switch to
> ECC.

Emphatic agreement -- this is clarification, not dispute:

A lot of people like to refer to _Applied Cryptography_ or _The Handbook
of Applied Cryptography_ for information on algorithms, and for very
good reason: they've generally got excellent information.  They are also
old books.  _AC_ is coming up on twenty years old, for instance, and
_HoAC_ isn't much younger.  At the time these books were written the
jury was still out on whether ECC had firm theoretical underpinnings.
Nowadays the jury is back, and ECC is generally recognized as being as
reputable as RSA, DSA or Elgamal. [1]

ECC will be coming to OpenPGP sooner or later, and probably sooner.  I'd
be astonished if we didn't have ECC by, say, 2017.



[1] You can thank Fermat for this.  It turns out that proving Fermat's
Last Theorem was instrumental in establishing the correctness of ECC.
In 1995, Andrew Wiles proved the Taniyama-Shimura conjecture over
semi-stable elliptic curves.  This in turn proved Fermat's Last Theorem,
and directly led to cryptographers having confidence in elliptical curve
cryptography.  So the next time someone presents Fermat's Theorem as a
mathematical curiosity with no practical purpose, tell them the next
generation of encryption algorithms begs to differ...