[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DSA hash algorithms

To: ietf-openpgp@xxxxxxx
Subject: Re: DSA hash algorithms
From: Lutz Donnerhacke <lutz@xxxxxxxxxxx>
Date: Fri, 25 Feb 2005 20:07:08 +0000 (UTC)
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Newsgroups: iks.lists.ietf-open-pgp
Organization: IKS GmbH Jena
References: <>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: slrn/0.9.8.0 (Linux)

* "Hal Finney" wrote:
> (Although RIPEMD-160 has not been attacked, the earlier RIPEMD hash was
> broken last year, and it seems plausible that the new attacks could work
> against RIPEMD-160 as well.)

IBTD. By the same argument applies to the SHA-2 family. It is senseless.

> I suggest that we do one of two things.  We could change the spec to
> require SHA-1 with DSA keys, and then when NIST comes out with DSA-2
> which uses SHA-2 (which they have been promising for years now), we will
> then support the larger hashes.  Or we could change the spec to allow
> any hash >= 160 bits to be used with DSA keys.  We could follow the NIST
> recommendation in http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf
> and use just the left 160 bits of the larger hash.

Because every hash of 160bit will do, I'd propose to be as flexible as
possible. We can provide a general statement about hashes in all contexts:
 "If the digest is larger than expected, only the leftmost bits count."

I do not know if those truncated hashes provide the same level of security ...

References:
- DSA hash algorithms
  - From: "Hal Finney"

Prev by Date: Re: Tighter MPI spec
Next by Date: Re: DSA hash algorithms
Previous by thread: DSA hash algorithms
Next by thread: Re: DSA hash algorithms
Index(es):
- Date
- Thread