Re: NIST publishes new DSA draft // larger DSA signing keys ?
<vedaal@hush.com> Wed, 22 March 2006 00:14 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FLqzg-0004EA-WF for openpgp-archive@lists.ietf.org; Tue, 21 Mar 2006 19:14:33 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FLqqC-0002ct-WF for openpgp-archive@lists.ietf.org; Tue, 21 Mar 2006 19:04:47 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2LNbkrb095326; Tue, 21 Mar 2006 16:37:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2LNbkKV095325; Tue, 21 Mar 2006 16:37:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2LNbjS8095318 for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 16:37:45 -0700 (MST) (envelope-from vedaal@hush.com)
Received: from smtp3.hushmail.com (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id B96B7A32BF for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 15:37:44 -0800 (PST)
Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 15:37:44 -0800 (PST)
Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver2.hushmail.com (8.12.6/8.12.3) with ESMTP id k2LNbiZ3015585 for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 15:37:44 -0800 (PST) (envelope-from vedaal@hush.com)
Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id k2LNbhfv015584 for <ietf-openpgp@imc.org>; Tue, 21 Mar 2006 18:37:43 -0500 (GMT)
Message-Id: <200603212337.k2LNbhfv015584@mailserver2.hushmail.com>
Date: Tue, 21 Mar 2006 18:37:43 -0500
To: ietf-openpgp@imc.org
Cc:
Subject: Re: NIST publishes new DSA draft // larger DSA signing keys ?
From: vedaal@hush.com
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.8 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
until now the discussion has centered on the larger SHA hash sizes in section 4.2 of the NIST draft, the following recommendation about key sizes is listed, and seems to imply that DSA signing key sizes should be the same as DH encryption key sizes: =====[ begin quote ]===== It is recommended that the security strength of the (L, N) pair and the hash function be the same unless an agreement has been made between participating entities to use a stronger hash function; a hash function that provides a lower security strength than the (L,N) pair shall not be used. If the output of the hash function is greater than N (i.e., the bit length of q), then the leftmost N bits of the hash function output block shall be used in any calculation using the hash function output during the generation or verification of a digital signature. Special Publication (SP) 800-57 provides information about the selection of the appropriate (L,N) pair in accordance with a desired security strength for a given time period. An (L, N) pair shall be chosen that protects the signed information during the entire expected lifetime of that information. For example, if a digital signature is generated in 2008 for information that needs to be protected for five years, and a particular (L, N) pair is invalid after 2010, then a larger (L, N)pair shall be used that remains valid for the entire period of time that the information needs to be protected. A Federal Government entity other than a Certification Authority (CA) should use only the first three (L, N) pairs (i.e., the (1024, 160), (2048, 224) and (2048, 256) pairs). A CA shall use an (L,N) pair that is equal to or greater than the (L, N) pairs used by its subscribers. For example, if subscribers are using the (2048, 224) pair, then the CA shall use either the (2048, 224), (2048,256) or (3072, 256) pair. Possible exceptions to this rule include cross certification between CAs, certifying keys for purposes other than digital signatures and transitioning from one key size or algorithm to another. See SP 800- 57 for further guidance. =====[ end quote ]===== can increasing the size of a DSA signing key to equal a the size of a DH encryption key be done, and still be a valid V4 key, with larger SHA signatures verifiable by existing open-pgp implementations, or does it need a new key type before it can be done? vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485