Carlo Luciano Bianco clbianco at tiscalinet.it
Wed Sep 27 00:33:38 CEST 2006

Il /26 set 2006/, *David Shaw* ha scritto:

> On Sat, Sep 23, 2006 at 03:15:07PM +0200, Carlo Luciano Bianco
> wrote: 
>> I just try to summarize what I understood from this thread about
>> OpenPGP implementation of DSA and RSA signatures, so you can
>> correct me if I am wrong: ;-) 
>>  - DSA is limited to 256-bit hashes (greater hashes are
>>  truncated).
>>  - DSA is limited to 3072-bit keys (largers are
>>  useless, see above). 
> Correct, but not completely correct.

Well... Better than what I was afraid of... ;-))

> The DSA algorithm can handle
> larger hashes and larger keys, but there is little point in a
> larger hash when you don't have a larger key to go along with it
> (the whole "balance" argument).

I see, and I fully share this argument. The strength of a chain is
the strength of the weakest ring, not the one of the strongest. 

That's why I asked about using also larger (15Kbit) public keys,

> but it's not recommended because of the speed.

OK. I got the point.

>> On the other hand:
>>  - RSA supports hashes up to 512-bit full lenght.
>>  - RSA supports keys up to 4096 bit.
> Again correct, but not the whole story.  RSA can certainly handle
> a 512-bit hash, but the whole balance question comes in again.

Of course, I see.

> A
> 4096-bit RSA key roughly balances a hash somewhere between 256 and
> 384 bits.  A 512-bit hash will work with a 4096-bit key, yes, but
> that doesn't really change the overall strength of the signature. 
> The hash is stronger than the key, so the key is the weak point. 
> GnuPG will accept larger RSA keys than 4096, by the way.

But it will not generate them, I suppose...

> Again, it just makes things slow.
>> So my point is: what is the real advantage of "DSA2" over RSA
>> (if any, beside being the US standard)? 
> Smaller signatures, for one.  Try making a 3072-bit key/256-bit
> hash with DSA and RSA.  The RSA signature is much larger.

Yes, as I replied to Qed, this is a good point which I did not
consider. Actually, I noticed this "enlargement" when I switched
from my old DSA-1024/ElG-4096 key to my new RSA-4096/RSA-4096 one.
But, at that time, I thought it was mainly due to the different key
and hash sizes, not to the algorithm itself... 

>> Therefore, now that GnuPG uses 256-bit symmetric algos and
>> 512-bit hashes (i.e. AES-256 and SHA-512), shouldn't we use also
>> DSA/ElG and RSA keys greater than 4096-bits, to achieve a
>> "balanced" security? 
> Only if you have a lot of time to wait for signatures to be issued
> ;)

Well... I am usually very patient... ;-))

Trying to be a little less fool [;-)], this means that a "balanced"
security with AES-256 and SHA-512 (which are balanced between
themselves) can be actually achieved only with ECC public keys...

                      |  ICQ UIN: 109517158
 Carlo Luciano Bianco |  Home page: <http://clbianco.altervista.org/>
GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743

More information about the Gnupg-devel mailing list