DSA2

[David Shaw]

On Sat, Sep 23, 2006 at 03:15:07PM +0200, Carlo Luciano Bianco wrote:

> I just try to summarize what I understood from this thread about
> OpenPGP implementation of DSA and RSA signatures, so you can correct
> me if I am wrong: ;-) 
> 
>  - DSA is limited to 256-bit hashes (greater hashes are truncated).
>  - DSA is limited to 3072-bit keys (largers are useless, see above).

Correct, but not completely correct.  The DSA algorithm can handle
larger hashes and larger keys, but there is little point in a larger
hash when you don't have a larger key to go along with it (the whole
"balance" argument).  GnuPG will properly handle a 7680 bit DSA key
(384 bit hash) and 15360 bit DSA key (512 bit hash), but it's not
recommended because of the speed.

> On the other hand:
> 
>  - RSA supports hashes up to 512-bit full lenght.
>  - RSA supports keys up to 4096 bit.

Again correct, but not the whole story.  RSA can certainly handle a
512-bit hash, but the whole balance question comes in again.  A
4096-bit RSA key roughly balances a hash somewhere between 256 and 384
bits.  A 512-bit hash will work with a 4096-bit key, yes, but that
doesn't really change the overall strength of the signature.  The hash
is stronger than the key, so the key is the weak point.  GnuPG will
accept larger RSA keys than 4096, by the way.  Again, it just makes
things slow.

> So my point is: what is the real advantage of "DSA2" over RSA
> (if any, beside being the US standard)? 

Smaller signatures, for one.  Try making a 3072-bit key/256-bit hash
with DSA and RSA.  The RSA signature is much larger.

> Therefore, now that GnuPG uses 256-bit symmetric algos and 512-bit
> hashes (i.e. AES-256 and SHA-512), shouldn't we use also DSA/ElG and
> RSA keys greater than 4096-bits, to achieve a "balanced" security? 

Only if you have a lot of time to wait for signatures to be issued ;)

David