DSS Standard

[Pete Chown]

Stefan Nobis wrote:

> But what about encrypting the whole text and not signing it? There you
> use a conventional symetric cipher to encrypt the text and the
> symetric key is crypted with the public key of the receiver. In this
> szenario the secret key need not to be stronger than the conventional
> cipher.

This is true, but DSS will not be used in this situation.  There is a
variant of ElGamal encryption that works with DSA style keys, but it
is not in wide use and OpenPGP does not use it.

> Do i understand things right when i assume there are two secret keys,
> one for signing and one for encryption and that the first is not
> longer than 160 bits but the later may be 1024 bit or more?

No.  DSA uses two parameters, one 160 bits and one which is 512 to
1024 bits.  These parameters can be shared among as many users of DSA
as you want without weakening security.  Then, of course, a user has a
public and a private key as with simpler systems such as RSA.  So each
user will have his or her own public and private key.  Then there will
be two parameters which might or might not be the same as the ones
used by other people's keys.

You can attack DSA by solving one of two discrete logarithm problems.
One is in a group of order 160 bits and the other is in a group of
order 512 to 1024 bits depending on the length of the other
parameter.  However, some types of discrete log are easier than
others; it is believed that the two problems are about equivalent when
the variable length parameter is 1024 bits.

There is therefore no point in making the variable length parameter
longer than 1024 bits unless you make the other one longer as well.
AFAIK there is no reason not to do this, but because SHA-1 is 160 bits
it doesn't make any sense in the context of the DSS (which specifies
SHA-1 as the hash function).

-- 
Pete

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org