DSA2

Qed qed at tiscali.it
Thu Sep 21 17:55:26 CEST 2006


Maybe this should have gone to gnupg-devel, where the thread was started :-)

On 09/21/2006 02:59 PM, Robert J. Hansen wrote:
>> I am right that this is not a new algorithm as such,
> 
> The problem with describing anything as a 'new algorithm' is, where do
> you draw the line for new?  Changing just one line in a specification
> could be enough to categorize something as 'new', if you wanted to
> define it that way.
> 
> It's more apt to say that DSA2 is very closely related to the original
> DSA.  DSA2 is a logical outgrowth of the older DSA specification.
> 
>> it is just the old one with longer key sizes?
> 
> And better hash algorithms.
> 
>> And that the only reason it has been restricted to 1024 in the past
>> is a US standard?
> 
> DSA is part of a United States FIPS (Federal Information Processing
> Standard).  In this FIPS a scheme called DSS, the Digital Signature
> Standard, is defined.  DSS specifies that DSA with SHA-1 will be used
> for all signatures.
> 
>> Or was there any fear that a larger key size with that algorithm
>> would not provide security?
> 
> At the time DSA was designed, 1024 bits of the Discrete Logarithm
> Problem was widely considered to be enough for all practical purposes.
> It isn't considered to be so any longer and various attacks are being
> discovered against SHA-1 (which DSS requires to be used with DSA), so a
> revised FIPS was put out addressing these two concerns.
> 
>> Is the new upper limit of 3072 bits picked for any particular reason?
> 
> Because this is the new upper limit in the FIPS.
> 
> If you're asking why the FIPS chose 3072-bit keys as the upper limit, I
> suspect their reasoning is that attacking 3072-bit DLP is a pipe dream
> now and for the foreseeable future.
> 
> For whatever it's worth, some critics of OpenPGP point to the lack of a
> hash function firewall in DSA and DSA2 keys as a big unresolved security
> issue.  These critics are of the opinion the RSA signature specification
> is better-defined.  While I haven't looked at the spec enough to see if
> DSA2 still lacks a hash function firewall, the criticism should probably
> be brought up and considered, especially if you're thinking of migrating
> your key to a different signature algorithm.
> 
-- 

  Q.E.D.
War is Peace
Freedom is Slavery
Ignorance is Strength

ICQ UIN: 301825501
OpenPGP key ID: 0x58D14EB3
Key fingerprint: 00B9 3E17 630F F2A7 FF96  DA6B AEE0 EC27 58D1 4EB3
Check fingerprints before trusting a key!



More information about the Gnupg-devel mailing list