Re: Suggested changes for DSA2

David Shaw <> Tue, 28 March 2006 02:32 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1FO40U-0003pA-Ja for; Mon, 27 Mar 2006 21:32:30 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1FO40U-0001SB-6p for; Mon, 27 Mar 2006 21:32:30 -0500
Received: from (localhost []) by (8.13.5/8.13.5) with ESMTP id k2S22Rc1032973; Mon, 27 Mar 2006 19:02:27 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.13.5/8.13.5/Submit) id k2S22Rdq032972; Mon, 27 Mar 2006 19:02:27 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.13.5/8.13.5) with ESMTP id k2S22Q8f032966 for <>; Mon, 27 Mar 2006 19:02:27 -0700 (MST) (envelope-from
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id k2S22Pk20897; Mon, 27 Mar 2006 21:02:25 -0500
Received: from ([]) by (8.13.6/8.13.5) with ESMTP id k2S22SWe020966; Mon, 27 Mar 2006 21:02:28 -0500
Received: from ( []) by (8.13.1/8.13.1) with ESMTP id k2S22I8u026527; Mon, 27 Mar 2006 21:02:18 -0500
Received: (from dshaw@localhost) by (8.13.1/8.13.1/Submit) id k2S22FGL026526; Mon, 27 Mar 2006 21:02:15 -0500
Date: Mon, 27 Mar 2006 21:02:15 -0500
From: David Shaw <>
To: Hal Finney <>
Subject: Re: Suggested changes for DSA2
Message-ID: <>
Mail-Followup-To: Hal Finney <>,
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
OpenPGP: id=99242560; url=
User-Agent: Mutt/1.5.11
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8

On Mon, Mar 27, 2006 at 03:22:15PM -0800, "Hal Finney" wrote:
> David writes:
> > For implementation of signature verification you can just take p and q
> > straight from the public key.  You don't need to guess since the key
> > has all the information you need.
> With signatures, it is the verifier more than the signer who is vulnerable
> and who needs to be protected.  The problem is that as the verifying
> software it is my responsibility to provide some level of assurance to
> the user about how strong this signature is.
> Right now at best we only report the key size.  I'd like to make sure that
> q is as strong as p.  Otherwise we might see a 4096 bit key with a 160 bit
> q, so it is really no stronger than a 1024 bit key.  It is hard to report
> to the user how strong a signature by that key should be considered to be.
> This problem goes away if we standardize on the q sizes that go with
> certain p sizes.  That's what I'd like to do.  Any keys that break the
> rules would be considered invalid.  Maybe we don't have to just do the
> FIPS ones but could extend them somewhat.

Forgetting DSA2 for a moment, this isn't a new problem.  We have this
same key size / hash size mismatch possibility today with DSA1 (since
DSA in 2440 could be 768-1024 bits), and again with RSA (which can use
any hash, regardless of the key size).  Fixing the q sizes for DSA2
doesn't really solve this.

I do agree there is an issue here, but I have trouble seeing it in
terms of something that can be fixed in the standard, especially in a
reasonably future-proofed way.  It just feels a bit like pushing a
user or UI problem into the data specification.

Implementations are free to use whatever guidelines they like in
presenting signature information to the user.  It would be very
reasonable for a program to pop up some sort of "Warning: the hash
used in this signature is weaker than the key", or "this signature has
xxxx bits of assurance" or whatever sort of message is deemed most
understandable.  I just think that the onus is on the implementation
to do this, and not the standard.

That said, I would support language (perhaps in the Security
Considerations or signature sections) that read something like this:

   When verifying a signature, it may be noted that the strength of
   the signing key and the strength of the hash used are not similar.
   In such cases, implementations MAY/SHOULD warn the user that the
   overall signature strength is limited by the weakest part.  In
   extreme cases, the implementation may wish to consider the
   signature to be in error.  While conventional wisdom may change
   over time as to the strength of algorithms, at publication time,
   one such set of guidelines is [SP800].

And add a cite for [SP800] to the NIST key length / hash length guide.