Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

Len Sassaman <> Mon, 26 August 2002 21:12 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id RAA22558 for <>; Mon, 26 Aug 2002 17:12:38 -0400 (EDT)
Received: by (8.11.6/8.11.3) id g7QKuAF10650 for ietf-openpgp-bks; Mon, 26 Aug 2002 13:56:10 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g7QKu8210644 for <>; Mon, 26 Aug 2002 13:56:08 -0700 (PDT)
Received: by (Postfix, from userid 500) id BE62C4501B; Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id AAE7D48023; Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
Date: Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
From: Len Sassaman <>
X-Sender: <>
To: Jon Callas <>
Cc: "Brian M. Carlson" <>, OpenPGP <>
Subject: Re: RFC: DSA key lengths; Elgamal type 16 v. type 20
In-Reply-To: <>
Message-ID: <>
X-AIM: Elom777
X-icq: 10735603
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

On Sat, 24 Aug 2002, Jon Callas wrote:

> So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash
> algorithm does P1363 use with longer keys? What semantics does it have to go
> with it?

P1363 doesn't seem to be linked off of the IEEE site anymore. Does anyone
have a copy they can mirror?

I think Brian is right, though. While DSS (in FIPS 186 and ANSI X9.30)
mandates SHA-1 and limits p to 1024 bits, OpenPGP is specifying DSA, not

I understand DSA to be limited to 1024 bits when using a 160 bit hash.
Using a larger hash would allow for larger key sizes. There has been some
speculation that a revised DSS may be specified by NIST using the new
larger SHA hashes. Should we anticipate this and add the new SHAs (at
least SHA-512) to the spec?

FWIW, I believe that one of the "ckt" unofficial builds of PGP used larger
DSA keys with "double width SHA1". (I'm surprised, actually, that RFC 2440
even specifies double-width SHA1, since it's my understanding that most
cryptographers are skeptical that double-width SHA1 is any better than
single-width SHA1 for DSA.) Shouldn't wide SHA1 be deprecated in favor of
one of the newer NIST SHAs?