Re: NIST publishes new DSA draft

David Shaw <dshaw@jabberwocky.com> Mon, 20 March 2006 20:52 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FLRN2-0004Lb-2z for openpgp-archive@lists.ietf.org; Mon, 20 Mar 2006 15:52:56 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FLRN0-0002nQ-AH for openpgp-archive@lists.ietf.org; Mon, 20 Mar 2006 15:52:55 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2KKSovJ027375; Mon, 20 Mar 2006 13:28:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2KKSoDX027374; Mon, 20 Mar 2006 13:28:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2KKSndh027368 for <ietf-openpgp@imc.org>; Mon, 20 Mar 2006 13:28:49 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2KKSlk08116 for <ietf-openpgp@imc.org>; Mon, 20 Mar 2006 15:28:47 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id k2KKSk6c006824 for <ietf-openpgp@imc.org>; Mon, 20 Mar 2006 15:28:46 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2KKSfCT004087 for <ietf-openpgp@imc.org>; Mon, 20 Mar 2006 15:28:41 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2KKSfWg004086 for ietf-openpgp@imc.org; Mon, 20 Mar 2006 15:28:41 -0500
Date: Mon, 20 Mar 2006 15:28:41 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: NIST publishes new DSA draft
Message-ID: <20060320202841.GA3994@jabberwocky.com>
Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org>
References: <20060314194447.4D59A57FB0@finney.org> <20060316192823.GA9945@jabberwocky.com> <441ACF45.704@systemics.com> <87fylhdq36.fsf@wheatstone.g10code.de> <20060317174937.GC13241@jabberwocky.com> <3C3EAEDD-7724-4E92-AA3C-49B5B2E6F3F9@callas.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3C3EAEDD-7724-4E92-AA3C-49B5B2E6F3F9@callas.org>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d

On Sun, Mar 19, 2006 at 11:51:17AM -0800, Jon Callas wrote:

> I'm happy to put in SHA-224 (meaning it's trivial work), but I don't  
> like it, myself. The reason is that SHA-224 is really a truncated  
> SHA-256. Thus, it has no advantages over SHA-256 except being smaller  
> by 32-bits with 112 bits of security. The reason it exists at all is  
> for crypto-balance with 2-key 3DES (which is not TDEA), which we  
> don't allow at all. I don't think we should have it as it goes  
> against our principles of wanting a minimum of 128-bits of security  
> in OpenPGP. (Yes, yes, I know that SHA-1 doesn't meet this either,  
> but until SHA-256, we didn't have many options. That doesn't mean the  
> principle is wrong; we *have* options.)

I understand the argument about wanting 128 bits of security, but
since the new DSA allows a 224 bit q, there just isn't room for 128
bits of security.  Whether we truncate SHA-256 and call it "truncated
SHA-256" or truncate SHA-256 and call it "SHA-224", we have to
truncate.

We support DSA now, with a note saying that if someone wants DSS, they
need to use SHA-1.  I suspect we'll end up in a similar place with
DSA2 allowing whatever key size and q size that people want to use and
a note that if they want DSS they need to use one of the four
NIST-blessed key size / q size pairs.

I lean towards adding SHA-224 as one of those four pairs has a 224-bit
q, and NIST suggests SHA-224 for this size.  It's only a lean towards
adding it as NIST also suggests truncated 256, 384, or 512 as valid
options, so 224 is not the only game in town.  (384 seems a little
silly as it would be a truncation of a truncation, but it's an
option.)  It's really a feeling that we currently support 4 out of the
5 FIPS-approved hash functions (SHA-1, 256, 384, 512), and since
supporting the 5th (224) is so trivial, we may as well be complete.

I'll defer to someone who feels more strongly about this than I do.

David