long-term GPG signing key

Ian G iang at systemics.com
Wed Jan 11 10:00:02 EST 2006

Travis H. wrote:
> On 1/10/06, Ian G <iang at systemics.com> wrote:
>>2. DSA has a problem, it relies on a 160
>>bit hash, which is for most purposes the
>>SHA-1 hash.  Upgrading the crypto to cope
>>with current hash circumstances is not
>>worthwhile;  we currently are waiting on
>>NIST to lead review in hashes so as to
>>craft a new generation.
> What's wrong with SHA-256 and SHA-512?
> http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf
> I agree though that hashes (I hate the term, hashing has little to do
> with creating OWFs) are not as advanced as block cipher design, and
> 160 bits seems rather small, but surely SHA-256 would be better than
> throwing one's hands up, claiming it's unsolvable, and sticking with
> SHA-1, right?

Well, it's a pragmatic situation:

   * all SHA algorithms are under a cloud
   * anything 160 bits or less is under a dark-ish cloud
   * the bigger ones won't break, but maybe
     the engineering will all change anyway
   * DSA has to be upgraded anyway
   * what's wrong with RSA in this role?
   * where's the threat to the DSA algorithm given that
     the attack is the birthday attack?
   * where's the threat to any extent usage of DSA
     (within its application profile)?

Pragmatically, wait and see is a good choice here,
IMO, but others disagree.

> If the problem is size, the answer is there.  If the problem is
> structural, a temporary answer is there.

DSA is fixed to a 160 bit hash (or is it DSS?).
So, it's possible to do RIPEM or a chopped off
version of SHA-256.  The question is, what does
that gain you?  Not that much, and probably not
as much as the pain of rolling out a new digsig

> Using two structurally different hashes seems like a grand idea for
> collision restistance, but bad for one-wayness.  One-wayness seems to
> matter for message encryption, but doesn't seem to matter for signing
> public keys - or am I missing something?

Well, using two different MDs to cover one
failing is a plausible idea - but at a logical
and cryptographic level, all you are doing is
inventing your own hash algorithm, constructed
from some prior work.

So, we can look at for example cipher chaining
like triple-DES.  There are strange artifacts
such as groups where non-obvious things come
in and trip you up.  Even though triple-DES
is still considered to have avoided that trap,
its relatively small block size means you can
now put the entire decrypt table on a dvd (or
somesuch, I forget the maths).

So in general, it's not a good idea to just
invent your own algorithms;  if you could do
better so easily, so could the professional
cryptographers, and they would have by now.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list