On Sat, 24 Aug 2002, Jon Callas wrote:
So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash
algorithm does P1363 use with longer keys? What semantics does it have to go
with it?
P1363 doesn't seem to be linked off of the IEEE site anymore. Does anyone
have a copy they can mirror?
I think Brian is right, though. While DSS (in FIPS 186 and ANSI X9.30)
mandates SHA-1 and limits p to 1024 bits, OpenPGP is specifying DSA, not
DSS.
I understand DSA to be limited to 1024 bits when using a 160 bit hash.
Using a larger hash would allow for larger key sizes. There has been some
speculation that a revised DSS may be specified by NIST using the new
larger SHA hashes. Should we anticipate this and add the new SHAs (at
least SHA-512) to the spec?
FWIW, I believe that one of the "ckt" unofficial builds of PGP used larger
DSA keys with "double width SHA1". (I'm surprised, actually, that RFC 2440
even specifies double-width SHA1, since it's my understanding that most
cryptographers are skeptical that double-width SHA1 is any better than
single-width SHA1 for DSA.) Shouldn't wide SHA1 be deprecated in favor of
one of the newer NIST SHAs?
--Len.