dshaw at jabberwocky.com
Wed Sep 24 06:21:39 CEST 2008
On Sep 23, 2008, at 11:32 PM, Kevin Hilton wrote:
> Robert can probably give a better explanation that I, however with
> 3072 DSA signing keys, the SHA512 and SHA256 algorithms "functionally"
> produce the same length hash since the lower 256 bits are dropped as
> per the FIPS specification. I've often wondered the consequences of
> such an action -- whether this makes the chance of a collision higher
> or equal in comparing the SHA512 modified hash product to the SHA256
> hash product. Perhaps someone could elaborate on this.
In a perfect world, SHA512 truncated to 256 bits is exactly as strong
as SHA256. We don't, of course, live in a perfect world. However,
we're close enough in this case to treat the two as interchangeable in
a practical world. This is what NIST did when specifying the new DSA
algorithm in FIPS-186-3. They note that a 3072-bit DSA key needs a
256-bit hash, but that any hash larger than necessary can be truncated
to fit. OpenPGP follows that spec, and so GPG will happily chop
SHA512 to fit.
More information about the Gnupg-users