"Cico, Michael" <[EMAIL PROTECTED]> writes:
> What is the recommended minimum key size for DSA? Currently I'm using 1024
> bits, but what other (smaller) sizes are considered secure? I'm just
> wondering what can be used if 1024 bit proves too much of a performance
> liability.
>
> The RSA web site only says that 1024 bit keys "are considered secure" for
> DSA. They mentioned that DSS specifies key sizes "up to 1024 bits", but the
> OpenSSL documentatio says that any key size can be used for DSA. Which is
> correct?
Technically, they're both correct.
The strength of DSA keys is actually limited by two numbers, not
one:
The size that everyone quotes is the size of the group prime, p
(i.e. |p|) This number is variable.
The size of the private key is fixed at 160 bits and matches
the size of the subgroup prime q (i.e. |q|).
A p of 1024 bits roughly matches a q of 160 bits so 1024 is a good
choice. The DSA standard technically requires 512 <= |p| <= 1024
but you could technically use |p| > 1024. It's not clear what this
would buy you with |q| == 160, however.
You can certainly use |p| < 1024 but it's correspondingly weaker.
I would say that 768 is the lower limit for even fairly casual
use.
-Ekr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
