On Thursday 17 February 2005 11:39, Werner Koch wrote:

We should really start thinking on how to switch to a different hash
algorithm. The question is whether sha-256 is really that much more
secure. From my understanding it has not been developed as a
replacement for SHA-1 but to meet the requirements of AES and to
extend DSA.

How would SHA-256 extend DSA? DSA uses a q of 160 bit(*), which limits the
implementation to any hash that delivers 160 bits or cutting the hash back
to 160 bit.
As long as we still allow any hash to be used with DSA one can attempt a
downgrade attack by altering the signature to use SHA-1 and then try to
find a fitting text(**).
Or would that create a DSA-2 which uses a q of 256 bit?
How large would p be then?
Would that DSA-2 get a new Algorithm-ID or is the q of 256 bit indicator
enough?
(*)apart from the p of 1024 bit
(**)yes, I know 2^69 is still a lot of computation and the attack wasn't
about finding a duplicate for a specific message, but....
Konrad

**
**`pgpaBAVaUtOKr.pgp`

*Description:* PGP signature