On 19/08/2015 09:27 am, Andrey Jivsov wrote:
Please note that presently DSA or ECDSA truncate hashes. A digital
signature with a DSA key with FIPS 186-3 L=2048 N=224 and a SHA3-256
hash algorithm has security properties similar to the case when SHA3-224
hash was used instead. In other words, an application already has a tool
to use a 224-bit hash via an appropriate DSA/ECDSA key.
RSA signatures have plenty of "free" space for the hash, therefore, it's
not clear why SHA3-224 would be needed.
For reasons like the above and the rest of the conversation (and Peter's
comment), I think we should be examining SHAKE more closely. The world
of hashes has changed fundamentally because of Sponge. The old
assumptions embedded in the above are literally that - old, tired,
historical. If we want to make OpenPGP for the future, we want to have
a stab at aiming for that future.
iang
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp