ietf-openpgp
[Top] [All Lists]

Re: DSA hash algorithms

2005-02-25 13:07:16

* "Hal Finney" wrote:
(Although RIPEMD-160 has not been attacked, the earlier RIPEMD hash was
broken last year, and it seems plausible that the new attacks could work
against RIPEMD-160 as well.)

IBTD. By the same argument applies to the SHA-2 family. It is senseless.

I suggest that we do one of two things.  We could change the spec to
require SHA-1 with DSA keys, and then when NIST comes out with DSA-2
which uses SHA-2 (which they have been promising for years now), we will
then support the larger hashes.  Or we could change the spec to allow
any hash >= 160 bits to be used with DSA keys.  We could follow the NIST
recommendation in 
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf
and use just the left 160 bits of the larger hash.

Because every hash of 160bit will do, I'd propose to be as flexible as
possible. We can provide a general statement about hashes in all contexts:
 "If the digest is larger than expected, only the leftmost bits count."

I do not know if those truncated hashes provide the same level of security ...


<Prev in Thread] Current Thread [Next in Thread>