> > DSA signatures are 320 bits long.
>
> Isn't the public key between 512-1024 bits (given that the modulus and other
> constants are shared)?
Yes, sorry, that is basically correct. For some reason I got started
thinking of signatures, but that is not relevant here.
Actually a DSA public key has up to four parts:
a modulus p, 512-1024 bits (and today we would stick to the upper end
of that range);
a subgroup size q which divides p-1, 160 bits;
a generator g whose order is q, generally the same size as p;
a public value y, also about the same size as p.
There is also a 160 bit secret component x, and the relation which ties
them all together is y = g^x mod p, where ^ is exponentiation.
The total public key size will therefore be up to 3*1024 + 160 bits
or 3232 bits. This is 800 characters of hex, 540 of base64, or 400 of
raw binary. That may be a bit much to pass around.
With DSA keys it is attractive to have all of them share the same
p, q and g values. Those would be a system-wide set of parameters.
In that case the key is only the y value, about 1024 bits. This also
makes keygen very easy, almost trivial: pick a random 160 bit x, and
compute y = g^x mod p. This would be attractive for SVK's which get
generated for each inserted document.
The down side to doing this is that the keys can all be broken together.
Put another way, if you break one, you have broken them all. However the
work needed to break 1024 bit DSA is very large, somewhat larger than that
needed to break a 1024 bit RSA key. Based on the discussion on sci.crypt
by some of the people who have actually implemented these algorithms,
keys of this size should be safe for many years, probably decades.
Eventually we would want to migrate to larger keys. The bottleneck with
DSA is that the hash size must grow if the key size grows. This summer,
NIST (the US standards body) is expected to come out with a new hash,
a replacement or alternative to SHA that will produce larger output.
This can then allow larger DSA keys, although there could be a few months'
delay before the new DSA standard is published that fully specifies the
relative size of the various parameters.
Hal
_______________________________________________
Freenet-dev mailing list
Freenet-dev at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/freenet-dev
