Changing preferences

Robert J. Hansen rjh at sixdemonbag.org
Wed Sep 24 08:04:56 CEST 2008


Kevin Hilton wrote:
> I've often wondered the consequences of such an action -- whether
> this makes the chance of a collision higher or equal in comparing the
> SHA512 modified hash product to the SHA256 hash product.  Perhaps
> someone could elaborate on this.

Theoretically?  None.  Practically?  None yet.  If/when the longer SHAs
are subjected to cryptanalytic attack, "none yet" will change to
"expected soon" before becoming "switch to WHIRLPOOL."

> Of course with RSA keys, no such limitation is in place.  Just an
> FYI.

Well, not technically, no, but there's no point in using SHA512 with an
RSA key.  According to NIST, a 4kbit RSA key is roughly equivalent in
brute force resistance to a 168-bit symmetric key.  The rule of thumb
with hashes is to use twice as many bits as there are in your symmetric
key, so a 4096-bit RSA key only needs SHA384.  Past that you're just
putting lipstick on the pig.

(To say nothing of 4kbit keys in and of themselves, which strike me as
being more technofetishism than a measured response to the current state
of the art in cryptanalysis.  But ignore me or else I'll start ranting
again...)

> (And just another summary, the battle between RSA vs DSA signing keys
>  has been waged many times prior on this mailing list -- Google for
> it if you don't believe me -- and to summarize the conclusions of
> many on this list -- this is no functional advantage of using one
> over the other).

I can count on my fingers the number of people I would trust to make any
kind of authoritative statements re: DSA versus RSA.  None of them are
on this list.  Discussing relative strengths and weaknesses of the two
is a spectacularly black art, and unless your name is Adi Shamir or
Taher Elgamal you probably don't know as much as you think you do.

I am _definitely_ included in the ranks of the people who don't know as
much as they think they do when it comes to this.  They are both far,
far stronger than people need them to be; that's all I feel comfortable
stating.




More information about the Gnupg-users mailing list