Are DSA2 signing keys backwards compatible?

David Shaw dshaw at jabberwocky.com
Mon Feb 11 14:23:10 CET 2008 

On Sun, Feb 10, 2008 at 10:53:23PM -0600, Kevin Hilton wrote:
> >You could use SHA-512 with
> >it if you liked, but the hash would be truncated to 256 bits.
> 
> Interesting.  Are the higher or lower bits truncated?

RFC-4880:

 DSA signatures MUST use hashes that are equal in size to the number
 of bits of q, the group generated by the DSA key's generator value.
 If the output size of the chosen hash is larger than the number of
 bits of q, the hash result is truncated to fit by taking the number
 of leftmost bits equal to the number of bits of q.  This (possibly
 truncated) hash function result is treated as a number and used
 directly in the DSA signature algorithm.

> >We follow the advice in FIPS 180-3:
> >
> >      L = 1024, N = 160
> >      L = 2048, N = 224
> >      L = 3072, N = 256
> 
> Ok.  So back to the ever asking defaults question, so why when I
> produce a 3072 bit DSA signing key, why isnt my first digest hash
> preference or choice SHA-256?  Here is what I am getting:
> 
> pub  3072D/0053175A  created: 2007-11-14  expires: never       usage: SC
>                      trust: unknown       validity: unknown
> sub  4096g/51BFA0E0  created: 2007-11-14  expires: never       usage: E
> [ unknown] (1). -----------------------------------------------------
> 
> Command> showpref
> [ unknown] (1). -----------------------------------------------------
>      Cipher: AES256, AES192, AES, CAST5, 3DES
>      Digest: SHA1, SHA256, RIPEMD160
>      Compression: ZLIB, BZIP2, ZIP, Uncompressed
>      Features: MDC, Keyserver no-modify
> 
> It would seem in fact that my digest preferences should only be SHA256
> or SHA512 based on the information provided!  SHA1 or RIPEMD160
> shouldn't even be listed here, correct?

No.  Preferences, including the digest preferences, are not relevant
here at all.  This is a signature *you* are making.  The digest
preferences are consulted when someone *else* is making a signature,
and wants to know if you can handle it.  It has nothing to do with
what your key needs because your key is not involved.

David

More information about the Gnupg-users mailing list