Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

[Len Sassaman <rabbi@xxxxxxxxxxx>]

On Sat, 24 Aug 2002, Jon Callas wrote:

> So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash
> algorithm does P1363 use with longer keys? What semantics does it have to go
> with it?

P1363 doesn't seem to be linked off of the IEEE site anymore. Does anyone
have a copy they can mirror?

I think Brian is right, though. While DSS (in FIPS 186 and ANSI X9.30)
mandates SHA-1 and limits p to 1024 bits, OpenPGP is specifying DSA, not
DSS.

I understand DSA to be limited to 1024 bits when using a 160 bit hash.
Using a larger hash would allow for larger key sizes. There has been some
speculation that a revised DSS may be specified by NIST using the new
larger SHA hashes. Should we anticipate this and add the new SHAs (at
least SHA-512) to the spec?

FWIW, I believe that one of the "ckt" unofficial builds of PGP used larger
DSA keys with "double width SHA1". (I'm surprised, actually, that RFC 2440
even specifies double-width SHA1, since it's my understanding that most
cryptographers are skeptical that double-width SHA1 is any better than
single-width SHA1 for DSA.) Shouldn't wide SHA1 be deprecated in favor of
one of the newer NIST SHAs?


--Len.