Re: NIST publishes new DSA draft

David Shaw <dshaw@jabberwocky.com> Fri, 17 March 2006 18:07 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FKJMa-0007uo-Tl for openpgp-archive@lists.ietf.org; Fri, 17 Mar 2006 13:07:48 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FKJMa-0007yh-Gw for openpgp-archive@lists.ietf.org; Fri, 17 Mar 2006 13:07:48 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2HHnoLi070981; Fri, 17 Mar 2006 10:49:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2HHno5H070980; Fri, 17 Mar 2006 10:49:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2HHnnI5070972 for <ietf-openpgp@imc.org>; Fri, 17 Mar 2006 10:49:49 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2HHnhk23159; Fri, 17 Mar 2006 12:49:43 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id k2HHni6c014653; Fri, 17 Mar 2006 12:49:44 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2HHnbwh013529; Fri, 17 Mar 2006 12:49:37 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2HHnbAn013528; Fri, 17 Mar 2006 12:49:37 -0500
Date: Fri, 17 Mar 2006 12:49:37 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: Werner Koch <wk@gnupg.org>
Cc: Ian G <iang@systemics.com>, Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
Subject: Re: NIST publishes new DSA draft
Message-ID: <20060317174937.GC13241@jabberwocky.com>
Mail-Followup-To: Werner Koch <wk@gnupg.org>, Ian G <iang@systemics.com>, Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
References: <20060314194447.4D59A57FB0@finney.org> <20060316192823.GA9945@jabberwocky.com> <441ACF45.704@systemics.com> <87fylhdq36.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87fylhdq36.fsf@wheatstone.g10code.de>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002

On Fri, Mar 17, 2006 at 04:54:21PM +0100, Werner Koch wrote:
> 
> On Fri, 17 Mar 2006 16:01:25 +0100, Ian G said:
> 
> >> right answer.  Now that we have actual information about DSA2, perhaps
> >> it would be worth revisiting that question.  A new algorithm ID for
> >> DSA2 resolves a number of problems in one fell swoop as there is no
> >> expectation of interoperability.  SHA-256 is always usable
> >> (effectively the default) for DSA2, and there is no problem with
> >> knowing when it is possible to use truncation (always).
> 
> > Sounds good to me.
> 
> I support this too.  The majority of keys are DSA keys q=160 bit.
> Having a new algorithm indentifier will help more than harm.

Even though I originally brought it up, I've given this a good bit of
additional thought while mailing with Hal on the list yesterday, and I
think it really does come down to something as simple as a question of
error messages.  I'm not for a new algorithm ID.

It breaks down like this:

1) a q==160 signature without truncation (hash size matches q exactly)
2) a q==160 signature with truncation (hash left-truncated to match q)
3) a q!=160 signature without truncation (hash size matches q exactly)
4) a q!=160 signature with truncation (hash left-truncated to match q)

I'm not mentioning the larger key size in DSA2 as I believe that
deployed code will handle larger DSA key sizes correctly.

Obviously #1 isn't a problem, as it is what DSA is today.  I think PGP
can actually do #2, but for the sake of argument, let's say that
nobody can do #2, #3, or #4 on current code.

If we don't assign a new algo ID for DSA2, #3 and #4 will fail because
of the wrong q size, and #2 will fail because of the truncation.  If
we do assign the new ID, as before #2, #3, and #4 will fail - but so
will #1!  Even though the signatures are compatible, the new algo ID
will cause the signature to fail on the older implementation.  This
argues against a new algo ID.  Even if we don't create DSA2 q=160 keys
(internally changing them to DSA1 keys), this just returns the
question to neutral, and the extra code complexity and questions (will
it break any keyservers? It will certainly break pksd) of assigning
the new algo ID argue against it.

David