DSA2

Robert J. Hansen rjh at sixdemonbag.org
Thu Sep 21 14:59:06 CEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Nicholas Cole wrote:
> I am right that this is not a new algorithm as such,

The problem with describing anything as a 'new algorithm' is, where do
you draw the line for new?  Changing just one line in a specification
could be enough to categorize something as 'new', if you wanted to
define it that way.

It's more apt to say that DSA2 is very closely related to the original
DSA.  DSA2 is a logical outgrowth of the older DSA specification.

> it is just the old one with longer key sizes?

And better hash algorithms.

> And that the only reason it has been restricted to 1024 in the past 
> is a US standard?

DSA is part of a United States FIPS (Federal Information Processing
Standard).  In this FIPS a scheme called DSS, the Digital Signature
Standard, is defined.  DSS specifies that DSA with SHA-1 will be used
for all signatures.

> Or was there any fear that a larger key size with that algorithm 
> would not provide security?

At the time DSA was designed, 1024 bits of the Discrete Logarithm
Problem was widely considered to be enough for all practical purposes.
It isn't considered to be so any longer and various attacks are being
discovered against SHA-1 (which DSS requires to be used with DSA), so a
revised FIPS was put out addressing these two concerns.

> Is the new upper limit of 3072 bits picked for any particular reason?

Because this is the new upper limit in the FIPS.

If you're asking why the FIPS chose 3072-bit keys as the upper limit, I
suspect their reasoning is that attacking 3072-bit DLP is a pipe dream
now and for the foreseeable future.

For whatever it's worth, some critics of OpenPGP point to the lack of a
hash function firewall in DSA and DSA2 keys as a big unresolved security
issue.  These critics are of the opinion the RSA signature specification
is better-defined.  While I haven't looked at the spec enough to see if
DSA2 still lacks a hash function firewall, the criticism should probably
be brought up and considered, especially if you're thinking of migrating
your key to a different signature algorithm.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCgAGBQJFEoyaAAoJELcA9IL+r4EJcswH/i9vvGkGRWBaSg8sgDkDMKAm
EW+qYDo/HTm/QW5xRJtlM4AuaFwLIHGE222hGFhRKRXwris0wlCJCWV7dpVQbr61
LaNbpijkznpYv/sMweX5upIlC3g796yeVyKnkQKZB13j8Uayt5J0JVslyh/Sunb9
VuV0IbLEqjuN/+uYOm6Y1zKicHh6mn+2o2LSINGC854vg8LHJxpd1r+80yhvcVMl
AdwyAcUeUGi5C70ejB+xr273QKNAUZTHf8xDb2E8NbUET8mD8nJY/KdpMB0rttbc
E2cVjeGrGkBXfJG1cLH1QOTQInqXVK6J6BUcA5hvlEw+7Dxkp4tciK40/msT74E=
=HZUZ
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list