ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NIST publishes new DSA draft // larger DSA signing keys ?

2006-03-21 17:05:48
from [vedaal] [Permanent Link] 

until now the discussion has centered on the larger SHA hash sizes

in section 4.2 of the NIST draft, the following recommendation 
about key sizes is listed, and seems to imply that DSA signing key 
sizes should be the same as DH encryption key sizes:

=====[ begin quote ]=====

It is recommended that the security strength of the (L, N) pair and 
the
hash function be the same unless an agreement has been made between 
participating entities to use a stronger hash function; a hash 
function that provides a lower security strength than the (L,N) 
pair shall not be used.
If the output of the hash function is greater than N (i.e., the bit 
length of q), then the leftmost N bits of the hash function output 
block shall be used in any calculation using the hash function 
output during the generation or verification of a digital 
signature.

Special Publication (SP) 800-57 provides information about the 
selection of the appropriate (L,N) pair in accordance with a 
desired security strength for a given time period. An (L, N) pair 
shall be chosen that protects the signed information during the 
entire expected lifetime of that information. For example, if a 
digital signature is generated in 2008 for information that needs 
to be protected for five years, and a particular (L, N) pair is 
invalid after 2010, then a larger (L, N)pair shall be used that 
remains valid for the entire period of time that the information 
needs to be protected.

A Federal Government entity other than a Certification Authority 
(CA) should use only the first three (L, N) pairs (i.e., the (1024, 
160), (2048, 224) and (2048, 256) pairs). A CA shall use an (L,N) 
pair that is equal to or greater than the (L, N) pairs used by its 
subscribers. For example, if subscribers are using the (2048, 224) 
pair, then the CA shall use either the (2048, 224), (2048,256) or 
(3072, 256) pair. Possible exceptions to this rule include cross 
certification between
CAs, certifying keys for purposes other than digital signatures and 
transitioning from one key size or algorithm to another. See SP 800-
57 for further guidance.

=====[ end quote ]=====

can increasing the size of a DSA signing key to equal a the size of 
a DH encryption key be done, and still be a valid V4 key, with 
larger SHA signatures verifiable by existing open-pgp 
implementations,

or does it need a new key type before it can be done? 


vedaal

 





Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: NIST publishes new DSA draft // larger DSA signing keys ?, vedaal <=
Previous by Date:  Re: NIST publishes new DSA draft, David Shaw
Next by Date:  Suggested changes for DSA2, David Shaw
Previous by Thread:  NIST publishes new DSA draft, David Shaw
Next by Thread:  Suggested changes for DSA2, David Shaw
Indexes:  [Date] [Thread] [Top] [All Lists]