Robert J. Hansen rjh at sixdemonbag.org
Thu Sep 21 14:59:06 CEST 2006

Hash: SHA512

Nicholas Cole wrote:
> I am right that this is not a new algorithm as such,

The problem with describing anything as a 'new algorithm' is, where do
you draw the line for new?  Changing just one line in a specification
could be enough to categorize something as 'new', if you wanted to
define it that way.

It's more apt to say that DSA2 is very closely related to the original
DSA.  DSA2 is a logical outgrowth of the older DSA specification.

> it is just the old one with longer key sizes?

And better hash algorithms.

> And that the only reason it has been restricted to 1024 in the past 
> is a US standard?

DSA is part of a United States FIPS (Federal Information Processing
Standard).  In this FIPS a scheme called DSS, the Digital Signature
Standard, is defined.  DSS specifies that DSA with SHA-1 will be used
for all signatures.

> Or was there any fear that a larger key size with that algorithm 
> would not provide security?

At the time DSA was designed, 1024 bits of the Discrete Logarithm
Problem was widely considered to be enough for all practical purposes.
It isn't considered to be so any longer and various attacks are being
discovered against SHA-1 (which DSS requires to be used with DSA), so a
revised FIPS was put out addressing these two concerns.

> Is the new upper limit of 3072 bits picked for any particular reason?

Because this is the new upper limit in the FIPS.

If you're asking why the FIPS chose 3072-bit keys as the upper limit, I
suspect their reasoning is that attacking 3072-bit DLP is a pipe dream
now and for the foreseeable future.

For whatever it's worth, some critics of OpenPGP point to the lack of a
hash function firewall in DSA and DSA2 keys as a big unresolved security
issue.  These critics are of the opinion the RSA signature specification
is better-defined.  While I haven't looked at the spec enough to see if
DSA2 still lacks a hash function firewall, the criticism should probably
be brought up and considered, especially if you're thinking of migrating
your key to a different signature algorithm.

Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Gnupg-users mailing list