DSS Standard

Werner Koch wk@gnupg.org
Wed, 23 Aug 2000 18:59:58 +0200


On Wed, 23 Aug 2000, Stefan Nobis wrote:


> I found the following on the web, which says that the DSS standard is
> a bit bad and not very secure - is this true?
Nonsense.
> -----------------------------------------------------------------------
> [Y - public key, X - secret key, G - generator, P - prime]
> Y = GX mod P
>
> The DSS (Digital Signature Standard) restricts the size of the prime P
> to 1024 bits, which appears as a minor restriction compared to the RSA
> algorithm which commonly uses 1024-2048 bits. But it's more important
> for the datafiend, that this standard restricts the secret key to 160
> bits as well. Therefore it is enough to check a relevant part of the
> numbers between 0 and 2160 to find the secret key, while the size of
s/2160/2^160/
> the prime does only increase the time for calculation of one single
> test but does not increase the amount of possible secret keys.
It does not help to have huge keys if you don't have a hash algorithm with a matching length of the digest. Matching here does mean, that the time to break the secret key is of the same order as the one to calculate collisions in the hash digests. RSA+MD5 of any keysize is weaker than 1024 bit DSA+SHA1. BTW, the NSA is working on a larger hash and as soon as it has been "proofed" that this is one is secure, we can use DSA with larger key sizes. Werner -- Werner Koch GnuPG key: 621CC013 OpenIT GmbH http://www.OpenIT.de -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org