ietf-openpgp
[Top] [All Lists]

Re: How to Calculate Signatures?

2005-04-04 07:09:27

On 3 Apr 2005, at 12:39 PM, Hal Finney wrote:

For all of these reasons, I am tempted to allow the SHA-2 family with
current DSA keys, as an interim measure pending the move to DSS-2.

FIPS 180, which defines the SHA family, had a change notice to add SHA-224,
a truncated form of SHA-256.  This document,
<http://csrc.nist.gov/publications/fips/fips180-2/fips180 -2withchangenotice.pdf>,
describes truncation of hash algorithms on page 73:

"Some applications may require a hash function with an output size (i.e., message digest size) different than those provided by the hash functions
in this Standard. In such cases, a truncated hash output may be used,
whereby a hash function with a larger output size is applied to the
data to be hashed, and the resulting output (i.e., message digest) is
truncated by selecting an appropriate number of the leftmost bits. For
example, if an output of 96 bits is desired, the SHA256 hash function
could be used (e.g., because it is available to the application), and
the leftmost 96 bits of the output are selected as the message digest,
discarding the rightmost 160 bits of the SHA-256 output."


This is the reason that Beta 1 of PGP 9.0 allowed SHA-256, and did precisely that. However, we decided that that was pushing things, and it's not going to be in Beta 2.

        Jon