[spf:guess] Re: DSA and SHA-256 (It works! Or does it?! :))

Werner Koch wk at gnupg.org
Thu Jan 14 09:01:51 CET 2010

On Wed, 13 Jan 2010 22:58, sam at vilain.net said:

> Right.  Is there an official test suite for that?  Might see if I can't

You mean for OpenPGP: No.  However we did tests between PGP and GnuPG
thus we are quite confident that the GnuPG implementation is correct.

For algorithm testing the NIST has the CAVS program; see
http://csrc.nist.gov/groups/STM/cavp/ .

> Because SHA-256 has fewer rounds than SHA-1, from my very naïve grasp of
> the subject, it seems like it could be easier to find a collision by
> throwing those bits away, than by using SHA-1.  Taking the approach of

Things are much more complicate and in particular the SHA-2 suite wemt
through many years of internal developemnt at, well, the NSA.  Those
guys know a bit about hash functions - at that time more than any
researcher in the open community.

> not shortening the hash output, but taking it modulus a very large prime
> would seem to lose that information rather than folding it back into the
> output via the 'mod q' at the end, where all the extra high bits will
> have a very profound and non-linear impact on the output values.

In my layman's view that is very unlikely.  It somehow reminds me of
that Enigma fix 75 years ago which actually helped to break it.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list