Re: NIST publishes new DSA draft

hal@finney.org ("Hal Finney") Tue, 14 March 2006 22:44 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FJIFO-0006kQ-E7 for openpgp-archive@lists.ietf.org; Tue, 14 Mar 2006 17:44:10 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FJIFN-0008LF-1i for openpgp-archive@lists.ietf.org; Tue, 14 Mar 2006 17:44:10 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2EME6Hd016364; Tue, 14 Mar 2006 15:14:06 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2EME6hv016363; Tue, 14 Mar 2006 15:14:06 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2EME3Sm016356 for <ietf-openpgp@imc.org>; Tue, 14 Mar 2006 15:14:06 -0700 (MST) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id 38E3857FB0; Tue, 14 Mar 2006 14:19:59 -0800 (PST)
To: james.couzens@electricmail.com
Subject: Re: NIST publishes new DSA draft
Cc: ietf-openpgp@imc.org
Message-Id: <20060314221959.38E3857FB0@finney.org>
Date: Tue, 14 Mar 2006 14:19:59 -0800
From: hal@finney.org
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793

Hi, James - I'm afraid you are off by a year on that.  Those reports
were from 2005, not 2006.  They have been intensively discussed here and
elsewhere in the cryptographic community.  Indeed, those findings are a
good part of why I was proposing making SHA-256 a MUST, along with the
fact that this hash will now be able to be used with DSS signatures.

Hal Finney

> > We might want to think about making SHA-256 be another MUST algorithm.
> > The only MUST hash now is SHA-1.  Making SHA-256 be a MUST would make
> > these new key sizes be more useful, and also give us an easier fallback
> > if SHA-1 should be broken.
>
> SHA-1 was broken, last month by three Chinese cryptographers as reported 
> by Bruce Schneier through is website.  On February 15, 2006 he wrote of 
> a new cryptographic result, an attack faster than brute-force against 
> SHA-1.  Two days later he wrote an update to his original post and a 
> quote from within it:
>
> > Earlier this week, three Chinese cryptographers showed that SHA-1 is not 
> > collision-free. That is, they developed an algorithm for finding collisions
> > faster than brute force.
> > 
> > ...
> > 
> > They can find collisions in SHA-1 in 2^69 calculations, about 2,000 times
> > faster than brute force. Right now, that is just on the far edge of 
> > feasibility with current technology. Two comparable massive computations 
> > illustrate that point.
>
> Reference URL (02/18/2006): http://tinyurl.com/4rl78
> Original post (02/15/2006): http://tinyurl.com/4bmcc
>
> With respect to your suggestion about thinking about making SHA-256 a MUST 
> algorithm I couldn't agree more.
>
> Cheers,
>
> James
>
> -- 
> James Couzens,
> Programmer
>  ___ __  __  ___ 
> | __|  \/  |/ __| The Electric Mail Company
> | _|| |\/| | (__  Managed, Secure Email Services
> |___|_|  |_|\___| http://www.electricmail.com
>                   Direct Line: 604.482.1111 x152
> --------------------------------------------------
> PGP Key Fingerprint:
> B2EF B741 1807 2F24 8B70  F89B 03D2 6CFF C52F 0052