long-term GPG signing key

Ian G iang at systemics.com
Wed Jan 11 10:00:02 EST 2006 

Travis H. wrote:
> On 1/10/06, Ian G <iang at systemics.com> wrote:
> 
>>2. DSA has a problem, it relies on a 160
>>bit hash, which is for most purposes the
>>SHA-1 hash.  Upgrading the crypto to cope
>>with current hash circumstances is not
>>worthwhile;  we currently are waiting on
>>NIST to lead review in hashes so as to
>>craft a new generation.
> 
> 
> What's wrong with SHA-256 and SHA-512?
> 
> http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf
> 
> I agree though that hashes (I hate the term, hashing has little to do
> with creating OWFs) are not as advanced as block cipher design, and
> 160 bits seems rather small, but surely SHA-256 would be better than
> throwing one's hands up, claiming it's unsolvable, and sticking with
> SHA-1, right?

Well, it's a pragmatic situation:

   * all SHA algorithms are under a cloud
   * anything 160 bits or less is under a dark-ish cloud
   * the bigger ones won't break, but maybe
     the engineering will all change anyway
   * DSA has to be upgraded anyway
   * what's wrong with RSA in this role?
   * where's the threat to the DSA algorithm given that
     the attack is the birthday attack?
   * where's the threat to any extent usage of DSA
     (within its application profile)?

Pragmatically, wait and see is a good choice here,
IMO, but others disagree.

> If the problem is size, the answer is there.  If the problem is
> structural, a temporary answer is there.

DSA is fixed to a 160 bit hash (or is it DSS?).
So, it's possible to do RIPEM or a chopped off
version of SHA-256.  The question is, what does
that gain you?  Not that much, and probably not
as much as the pain of rolling out a new digsig
algorithm.

> Using two structurally different hashes seems like a grand idea for
> collision restistance, but bad for one-wayness.  One-wayness seems to
> matter for message encryption, but doesn't seem to matter for signing
> public keys - or am I missing something?

Well, using two different MDs to cover one
failing is a plausible idea - but at a logical
and cryptographic level, all you are doing is
inventing your own hash algorithm, constructed
from some prior work.

So, we can look at for example cipher chaining
like triple-DES.  There are strange artifacts
such as groups where non-obvious things come
in and trip you up.  Even though triple-DES
is still considered to have avoided that trap,
its relatively small block size means you can
now put the entire decrypt table on a dvd (or
somesuch, I forget the maths).

So in general, it's not a good idea to just
invent your own algorithms;  if you could do
better so easily, so could the professional
cryptographers, and they would have by now.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list