DSA key sizes

David Shaw dshaw at jabberwocky.com
Mon Nov 10 16:04:50 CET 2014

On Nov 10, 2014, at 8:56 AM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:

>> FIPS-186-3, the document that specifies DSS (aka DSA with some
>> additional restrictions as to algorithm, key length, etc) specifies 4
>> key sizes:
> Five, but nobody uses DSA-512 and I think it's been formally obsoleted.
> But yes, DSA-512 is a real thing, although GnuPG never supported it
> (for good reasons -- it was seen as marginal even when it first came out!).

No, four. Section 4.2 of FIPS-186-3:

  This Standard specifies the following choices for the pair L and N (the bit lengths of p and q, respectively):

  L = 1024, N = 160
  L = 2048, N = 224
  L = 2048, N = 256
  L = 3072, N = 256


Remember that the FIPS-186 documents cover DSS, not DSA.  There was a < 1024-bit DSS, but it didn't make it into FIPS-186-3.

It's also not the case the GnuPG never supported 512-bit DSA.  You could generate a 512-bit DSA until 1024 was made the minimum in late 2004.  Even today, it's possible to generate a 512 bit DSA key in 1.4.x if you use --expert.  (Not that you should).


More information about the Gnupg-users mailing list