[Q] DSA 1024-bit limit.

[Werner Koch]

On Tue, 13 May 2003 11:53:42 -1000, Denis McCauley said:

> IMO, the real worry with the 1024-bit limit on regular DSA keys is that
> they are the primary keys on which you collect the signatures that
> construct your web of trust. If you have to revoke them because they are

Please consider all facts relevant to the security of your key.  The
length of the key is not that important as long as it has a sound size
(i.e. > 768 bits).  Speculating about when it can be broken and not
considering facts with a much higher chance of a key compromise is
shortsighted.

It can't be said often enough:  Cryptography is only as strong as the
weakest subsystem.  So compare the probabilities of, say:

  * a new and really fast way to solve the DLP (and there can't be any
    certainty that the size of the key is always a major parameter).
    This might be a new algorithm or a new hardware design.

  * breaking of the hash algorithm (SHA-256 is still quite new)

  * physical access to your key (rubber hose attack or a hired
    burgler)

  * a BIOS of your box or a clever CPU (think Transmeta) identifying
    secret keys and posting them to a newsgroup.

  * a rogue OS

  * a trojan

  * a bug in the compiler, linker etc.

  * A malicious compiler (remember Dennis Ritchie).

  * a bug in GnuPG

  * a user error

If you can truly indentify the length of the key as a worrisome fact,
you may want to give up the nice short DSA signature for large RSA
signature blobs.  If you evaluate that, take your attach scenario in
account: A key used as a top level CA may need other properties as one
used everyday on your machine with millions - of easy to subvert -
code lines.


Shalom-Salam,

   Werner


-- 
  Nonviolence is the greatest force at the disposal of
  mankind. It is mightier than the mightiest weapon of
  destruction devised by the ingenuity of man. -Gandhi