At 10:50 AM 12/04/1997, Peter Gutmann wrote:
DSS/DSA is only specified for key lengths between 512 and 1024, but OpenPGP
should be free to do longer keys, even though the standard doesn't actually
support them.
There's no point in moving to p > 1K bits if q is only 160 bits because it'll
be vulnerable to a small-exponent attack. Since q is governed by the hash
function associated with DSA, you then need to define a new hash function with
a larger output block size, and suddenly things get very messy. At the moment
I don't think it's sensible to use keys > 1K bits, all it'll do is lead to
confusion about the amount of security offered.
Also, as I look at PGP key generation again, it does limit the
DSA keys to 1024 bits, even when you're doing longer ElGamal.
Doesn't necessarily have to do that, but I didn't find a way to
input different behaviour.
Thanks!
Bill
Bill Stewart, stewarts(_at_)ix(_dot_)netcom(_dot_)com
Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639