Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

Len Sassaman <rabbi@abditum.com> Mon, 26 August 2002 21:12 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22558 for <openpgp-archive@lists.ietf.org>; Mon, 26 Aug 2002 17:12:38 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g7QKuAF10650 for ietf-openpgp-bks; Mon, 26 Aug 2002 13:56:10 -0700 (PDT)
Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7QKu8210644 for <ietf-openpgp@imc.org>; Mon, 26 Aug 2002 13:56:08 -0700 (PDT)
Received: by thetis.deor.org (Postfix, from userid 500) id BE62C4501B; Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by thetis.deor.org (Postfix) with ESMTP id AAE7D48023; Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
Date: Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
From: Len Sassaman <rabbi@abditum.com>
X-Sender: <rabbi@thetis.deor.org>
To: Jon Callas <jon@callas.org>
Cc: "Brian M. Carlson" <karlsson@hal-pc.org>, OpenPGP <ietf-openpgp@imc.org>
Subject: Re: RFC: DSA key lengths; Elgamal type 16 v. type 20
In-Reply-To: <B98DCB9B.7D7A%jon@callas.org>
Message-ID: <Pine.LNX.4.30.QNWS.0208260007310.19973-100000@thetis.deor.org>
X-AIM: Elom777
X-icq: 10735603
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Sat, 24 Aug 2002, Jon Callas wrote:

> So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash
> algorithm does P1363 use with longer keys? What semantics does it have to go
> with it?

P1363 doesn't seem to be linked off of the IEEE site anymore. Does anyone
have a copy they can mirror?

I think Brian is right, though. While DSS (in FIPS 186 and ANSI X9.30)
mandates SHA-1 and limits p to 1024 bits, OpenPGP is specifying DSA, not
DSS.

I understand DSA to be limited to 1024 bits when using a 160 bit hash.
Using a larger hash would allow for larger key sizes. There has been some
speculation that a revised DSS may be specified by NIST using the new
larger SHA hashes. Should we anticipate this and add the new SHAs (at
least SHA-512) to the spec?

FWIW, I believe that one of the "ckt" unofficial builds of PGP used larger
DSA keys with "double width SHA1". (I'm surprised, actually, that RFC 2440
even specifies double-width SHA1, since it's my understanding that most
cryptographers are skeptical that double-width SHA1 is any better than
single-width SHA1 for DSA.) Shouldn't wide SHA1 be deprecated in favor of
one of the newer NIST SHAs?


--Len.