# DSS Standard

**Werner Koch
**
wk@gnupg.org

*Wed, 23 Aug 2000 18:59:58 +0200*

On Wed, 23 Aug 2000, Stefan Nobis wrote:

>* I found the following on the web, which says that the DSS standard is
*

>* a bit bad and not very secure - is this true?
*

Nonsense.

>* -----------------------------------------------------------------------
*

>* [Y - public key, X - secret key, G - generator, P - prime]
*

>* Y = GX mod P
*

>*
*

>* The DSS (Digital Signature Standard) restricts the size of the prime P
*

>* to 1024 bits, which appears as a minor restriction compared to the RSA
*

>* algorithm which commonly uses 1024-2048 bits. But it's more important
*

>* for the datafiend, that this standard restricts the secret key to 160
*

>* bits as well. Therefore it is enough to check a relevant part of the
*

>* numbers between 0 and 2160 to find the secret key, while the size of
*

s/2160/2^160/

>* the prime does only increase the time for calculation of one single
*

>* test but does not increase the amount of possible secret keys.
*

It does not help to have huge keys if you don't have a hash algorithm
with a matching length of the digest. Matching here does mean, that
the time to break the secret key is of the same order as the one to
calculate collisions in the hash digests.
RSA+MD5 of any keysize is weaker than 1024 bit DSA+SHA1.
BTW, the NSA is working on a larger hash and as soon as it has been
"proofed" that this is one is secure, we can use DSA with larger key
sizes.
Werner
--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org