DSS Standard

[Stefan Nobis]

Werner Koch <wk@gnupg.org> writes:

> > [Y - public key, X - secret key, G - generator, P - prime]
> > Y = G^X mod P
> > 
> > The DSS (Digital Signature Standard) restricts the size of the prime P
> > to 1024 bits, which appears as a minor restriction compared to the RSA
> > algorithm which commonly uses 1024-2048 bits. But it's more important
> > for the datafiend, that this standard restricts the secret key to 160
> > bits as well. Therefore it is enough to check a relevant part of the
> > numbers between 0 and 2^160 to find the secret key, while the size of
> > the prime does only increase the time for calculation of one single
> > test but does not increase the amount of possible secret keys.
> 
> It does not help to have huge keys if you don't have a hash algorithm
> with a matching length of the digest.  Matching here does mean, that

Hmmm... let me get this right: The hash is used for digital signatures
and then the generated hash is crypted with the secret key, so if the
text is changed or you use the wrong public key an error occurs. This
way the secret key should not be stronger than the hash.

But what about encrypting the whole text and not signing it? There you
use a conventional symetric cipher to encrypt the text and the
symetric key is crypted with the public key of the receiver. In this
szenario the secret key need not to be stronger than the conventional
cipher.

Do i understand things right when i assume there are two secret keys,
one for signing and one for encryption and that the first is not
longer than 160 bits but the later may be 1024 bit or more?

> RSA+MD5 of any keysize is weaker than 1024 bit DSA+SHA1.

This 1024 bits are the size of the prime to generate the 160 bits of
the secret key for signing?

-- 
Until the next mail...,
Stefan.

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org