Are DSA2 signing keys backwards compatible?

Kevin Hilton kevhilton at
Mon Feb 11 14:31:43 CET 2008

On Feb 10, 2008 10:53 PM, Kevin Hilton <kevhilton at> wrote:
> >You could use SHA-512 with
> >it if you liked, but the hash would be truncated to 256 bits.
> Interesting.  Are the higher or lower bits truncated?
> >We follow the advice in FIPS 180-3:
> >
> >      L = 1024, N = 160
> >      L = 2048, N = 224
> >      L = 3072, N = 256
> Ok.  So back to the ever asking defaults question, so why when I
> produce a 3072 bit DSA signing key, why isnt my first digest hash
> preference or choice SHA-256?  Here is what I am getting:
> pub  3072D/0053175A  created: 2007-11-14  expires: never       usage: SC
>                      trust: unknown       validity: unknown
> sub  4096g/51BFA0E0  created: 2007-11-14  expires: never       usage: E
> [ unknown] (1). -----------------------------------------------------
> Command> showpref
> [ unknown] (1). -----------------------------------------------------
>      Cipher: AES256, AES192, AES, CAST5, 3DES
>      Digest: SHA1, SHA256, RIPEMD160
>      Compression: ZLIB, BZIP2, ZIP, Uncompressed
>      Features: MDC, Keyserver no-modify
> It would seem in fact that my digest preferences should only be SHA256
> or SHA512 based on the information provided!  SHA1 or RIPEMD160
> shouldn't even be listed here, correct?

My reason for asking these questions is in regards to a documentation
Im trying to compose for a user's group.  Obviously I'm very much a
novice in both the mathematics beyonds GnuPG but in also its
implementation.  Its clear to me you are following both the FIPS and
OpenGPG RFC 8440 in implementing the program, however the truncation
of longer hash products, along with attempting to predict which hash
the program based on the output available will actually use is very
troubling and extremely difficult to document given all the nuances of
the program, particularly in relation to DSA keys.  Given the above
example (just one example), where a 3072 DSA key actually uses either
a SHA256 or SHA512 bit hash (truncated to 256 bits), despite what is
listed when showprefs is displayed -- How do you actually document
this scenario?  Im sure the situation is similar with 2048 DSA keys.
This is particularly troublesome given the fact that many actually
recommend the use of 2048 DSA keys -> meaning all hashes used are
going to be trucated to 224 bits and that 160 bit hashes will never be
used despite what would be suggested by the preference statement.

Are RSA signing keys subject to some of the same nuances as DSA keys?
Practically could a 1024 bit RSA key be used with a 512 hash?

Again its all very confusing to me -- math aside and practical
considerations why you wouldn't want to mix and match key types and
hash lengths.  Again Robert Hansen has wisely suggested use the
defaults -- I'm understanding this more and more -- however when I see
showpref statements that would suggest SHA-1 is the default hash, when
in actuality with larger DSA keys it is not, I get rather frustrated.

Thank you for your help.

Kevin Hilton

More information about the Gnupg-users mailing list