Re: Signature length of DSA

From: Michael Brown (see_at_signature.below)
Date: 11/29/03

  • Next message: David Wagner: "Re: Good enough for crypto?" 
    Date: Sat, 29 Nov 2003 20:53:06 +1300

    Tom St Denis wrote:
    > "Michael Brown" <see@signature.below> wrote in message
    > news:PtAxb.12280$VV6.272318@news.xtra.co.nz...
    >> Rereading though the DSA specification and some other literature,
    >> and am wondering a bit about the impact of reducing the signature
    >> length. Obviously, reducing the public key decreases the security
    >> because it's easier to factor, and increases the speed. However, I
    >> coudln't find any information about the effects of reducing the
    >> signature length (ie: q) from 160 bits to, say, 128 bits (by
    >> dropping the last 32 bits of SHA1). Obviously it makes birthday and
    >> brute-force attacks easier (as in any hashing function), but is
    >> there any other attcks that become viable by doing this?
    >
    > 160 wasn't really a random choice for DSA. At 160 bits you make the
    > SQRT attacks take about the same amount of time as GNFS. At 128-bits
    > you make them faster.

    Thanks for the info :) Just to make sure I'm thinking of the same attack ...
    this is the attack requires two signatures with the same r value?

    > Personally I wouldn't use a sub-group of less than 192 bits myself
    > [stick with 256 its a nice round number] as that makes SQRT attacks
    > totally infeasible. 

    --
Michael Brown
www.emboss.co.nz : OOS/RSI software and more :)
Add michael@ to emboss.co.nz - My inbox is always open
  • Next message: David Wagner: "Re: Good enough for crypto?"

    Relevant Pages

    • Signature length of DSA
      ... wondering a bit about the impact of reducing the signature length. ... reducing the public key decreases the security because it's ... it makes birthday and brute-force attacks easier (as in any hashing ... Michael Brown ...
      (sci.crypt)
    • Re: Signature length of DSA
      ... > Rereading though the DSA specification and some other literature, ... > wondering a bit about the impact of reducing the signature length. ... attacks take about the same amount of time as GNFS. ...
      (sci.crypt)