DSS Standard

Pete Chown Pete.Chown@skygate.co.uk
Thu, 24 Aug 2000 11:43:40 +0100

Stefan Nobis wrote:

> But what about encrypting the whole text and not signing it? There you
> use a conventional symetric cipher to encrypt the text and the
> symetric key is crypted with the public key of the receiver. In this
> szenario the secret key need not to be stronger than the conventional
> cipher.
This is true, but DSS will not be used in this situation. There is a variant of ElGamal encryption that works with DSA style keys, but it is not in wide use and OpenPGP does not use it.
> Do i understand things right when i assume there are two secret keys,
> one for signing and one for encryption and that the first is not
> longer than 160 bits but the later may be 1024 bit or more?
No. DSA uses two parameters, one 160 bits and one which is 512 to 1024 bits. These parameters can be shared among as many users of DSA as you want without weakening security. Then, of course, a user has a public and a private key as with simpler systems such as RSA. So each user will have his or her own public and private key. Then there will be two parameters which might or might not be the same as the ones used by other people's keys. You can attack DSA by solving one of two discrete logarithm problems. One is in a group of order 160 bits and the other is in a group of order 512 to 1024 bits depending on the length of the other parameter. However, some types of discrete log are easier than others; it is believed that the two problems are about equivalent when the variable length parameter is 1024 bits. There is therefore no point in making the variable length parameter longer than 1024 bits unless you make the other one longer as well. AFAIK there is no reason not to do this, but because SHA-1 is 160 bits it doesn't make any sense in the context of the DSS (which specifies SHA-1 as the hash function). -- Pete -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org