DSA2
Carlo Luciano Bianco
clbianco at tiscalinet.it
Wed Sep 27 00:33:38 CEST 2006
Il /26 set 2006/, *David Shaw* ha scritto:
> On Sat, Sep 23, 2006 at 03:15:07PM +0200, Carlo Luciano Bianco
> wrote:
>
>> I just try to summarize what I understood from this thread about
>> OpenPGP implementation of DSA and RSA signatures, so you can
>> correct me if I am wrong: ;-)
>>
>> - DSA is limited to 256-bit hashes (greater hashes are
>> truncated).
>> - DSA is limited to 3072-bit keys (largers are
>> useless, see above).
>
> Correct, but not completely correct.
Well... Better than what I was afraid of... ;-))
> The DSA algorithm can handle
> larger hashes and larger keys, but there is little point in a
> larger hash when you don't have a larger key to go along with it
> (the whole "balance" argument).
I see, and I fully share this argument. The strength of a chain is
the strength of the weakest ring, not the one of the strongest.
That's why I asked about using also larger (15Kbit) public keys,
but...
[...]
> but it's not recommended because of the speed.
OK. I got the point.
>> On the other hand:
>>
>> - RSA supports hashes up to 512-bit full lenght.
>> - RSA supports keys up to 4096 bit.
>
> Again correct, but not the whole story. RSA can certainly handle
> a 512-bit hash, but the whole balance question comes in again.
Of course, I see.
> A
> 4096-bit RSA key roughly balances a hash somewhere between 256 and
> 384 bits. A 512-bit hash will work with a 4096-bit key, yes, but
> that doesn't really change the overall strength of the signature.
> The hash is stronger than the key, so the key is the weak point.
> GnuPG will accept larger RSA keys than 4096, by the way.
But it will not generate them, I suppose...
> Again, it just makes things slow.
>
>> So my point is: what is the real advantage of "DSA2" over RSA
>> (if any, beside being the US standard)?
>
> Smaller signatures, for one. Try making a 3072-bit key/256-bit
> hash with DSA and RSA. The RSA signature is much larger.
Yes, as I replied to Qed, this is a good point which I did not
consider. Actually, I noticed this "enlargement" when I switched
from my old DSA-1024/ElG-4096 key to my new RSA-4096/RSA-4096 one.
But, at that time, I thought it was mainly due to the different key
and hash sizes, not to the algorithm itself...
>> Therefore, now that GnuPG uses 256-bit symmetric algos and
>> 512-bit hashes (i.e. AES-256 and SHA-512), shouldn't we use also
>> DSA/ElG and RSA keys greater than 4096-bits, to achieve a
>> "balanced" security?
>
> Only if you have a lot of time to wait for signatures to be issued
> ;)
Well... I am usually very patient... ;-))
Trying to be a little less fool [;-)], this means that a "balanced"
security with AES-256 and SHA-512 (which are balanced between
themselves) can be actually achieved only with ECC public keys...
--
| ICQ UIN: 109517158
Carlo Luciano Bianco | Home page: <http://clbianco.altervista.org/>
______________________|________________________________________________
GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743
More information about the Gnupg-devel
mailing list