| |
 |
|
|
Science Forum Index » Cryptography Forum » RSA vs DH
Page 1 of 6 Goto page 1, 2, 3, 4, 5, 6 Next
|
| Author |
Message |
| Ivan Voras |
 Posted: Wed Dec 17, 2003 8:58 pm |
|
|
|
Guest
|
As I understand it, PGP supports two public key systems: RSA and
Diffie-Hellman. Are they completely unrelated? Which is better (e.g.
ignoring brute-force, is a 1024bit DH keypair harder to break than 1024bit
RSA keypair?)
--
--
Logic is a systematic method of coming to the wrong conclusion with
confidence. |
|
|
| Back to top |
|
| David Wagner |
| Posted: Wed Dec 17, 2003 8:58 pm |
|
|
|
Guest
|
Henrick Hellström wrote:
Quote: Paul Rubin wrote:
Henrick Hellström <henrick.hellstrm@telia.com> writes:
Unusual, perhaps, but I don't think it is bizarre. By generating new
system parameters each time you will (or might, depending on the
algorithm I guess) make it harder to calculate the discrete logarithm
of several public keys in parallel.
If you have a real concern that somebody's going to do that, then use
a bigger field.
That might not give you an optimal security/performance trade off, e.g.
if you are using the keys in TLS handshakes.
Really? That somehow seems hard to believe. I would have expected
the exact opposite. Do you have any calculations to back this claim up?
Quote: Furthermore, DSA keys cannot be larger than 1024 bits.
Oh, don't be silly. Of course they can. |
|
|
| Back to top |
|
| David Wagner |
| Posted: Wed Dec 17, 2003 8:58 pm |
|
|
|
Guest
|
Paul Rubin wrote:
Quote: daw@taverner.cs.berkeley.edu (David Wagner) writes:
Furthermore, DSA keys cannot be larger than 1024 bits.
Oh, don't be silly. Of course they can.
I thought FIPS pub whatever said 512-1024 bits.
I don't recall what the FIPS says, but why should we care?
DSA is a perfectly good algorithm at key sizes above 1024 bits,
whatever the FIPS might or might not say.
Quote: Although you could
make the big field larger anyway, the small field is still normally
160 bits, so you might not gain from making the big field bigger.
Well, of course you'd increase the size of q along with p. The idea is
to make the workfactor of generic attacks on the subgroup (about sqrt(q)
steps) roughly matches the workfactor of number-theoretic attacks on Z/pZ
(subexponential in p steps). It's just like Diffie-Hellman with short
exponents. |
|
|
| Back to top |
|
| David Wagner |
| Posted: Wed Dec 17, 2003 8:58 pm |
|
|
|
Guest
|
Henrick Hellström wrote:
Quote: That is probably correct, but it was my post he replied to, and I was
talking about DSS. 
Yeah. Ok, obviously I should have called it "the algorithm currently
known as DSA". :)
I can't put together much excitement over arguing about the difference
between DES and DEA, either... |
|
|
| Back to top |
|
| David Wagner |
| Posted: Wed Dec 17, 2003 8:58 pm |
|
|
|
Guest
|
Henrick Hellström wrote:
Quote: David Wagner wrote:
Henrick Hellström wrote:
That might not give you an optimal security/performance trade off, e.g.
if you are using the keys in TLS handshakes.
Really? That somehow seems hard to believe. I would have expected
the exact opposite. Do you have any calculations to back this claim up?
Why do you find that hard to believe?
Oh, now I get it. I withdraw my comment; I was confused. I see your
point.
I thought you wanted forward security, so you were generating a new public
key for every transaction. But on re-reading the thread, that wasn't
what you were suggesting; I don't know where my mistaken impression came
from, but I apologize.
If you're only rarely generating a key, then I agree, it probably doesn't
hurt to generate new primes. Key generation isn't performance critical
if it is done only rarely.
It's when you generate a new key for every transaction that it makes
a difference whether you generate new parameters or not. In this
case, it is much better not to generate new parameters; the optimal
security/performance trade off (I would expect) will be to re-use
parameters and just generate a new key. |
|
|
| Back to top |
|
| David Wagner |
| Posted: Wed Dec 17, 2003 8:58 pm |
|
|
|
Guest
|
Henrick Hellström wrote:
That's what I was afraid you were going to say. I stand by my
claim: This is silliness. NIST's restriction to 1024 bit keys
was pretty silly, and feeling bound by their bogus restriction
is just continuing the silliness.
Quote: Of course 1024 is not a theoretical or a computational limit, but if you
toss together a X.509 certificate with a DSA-3072/256 key and a
DSA-SHA256 signature you will become painfully aware that there isn't
any software that will recognize neither the key nor the signature. The
standard is in this sense setting a practical limit.
Well, wait, let's not confuse software support with reasonable algorithm
choices. Try to use a RSA public exponent larger than 65537, and have
fun with the tools that won't recognize it. That doesn't mean that
large exponents are necessarily a poor idea.
Likewise, let's not confuse large-prime DSA with SHA256. Ok, maybe
tools that support SHA256 are rare, but that's fine with me. The real
question is: Do most tools that support 1024-bit DSA (with SHA1) have
trouble with 2048-bit DSA (with SHA1)? If so, that's disappointing.
(But it still doesn't mean that large-prime DSA is a bad idea.)
To be perfectly clear: The primary reason I'd use large-prime DSA is
not because I'm terribly worried about 2^80 attacks, but because I have
some concern about the possibility of algorithmic improvements. Shamir
and Tromer's work on TWINKLE comes to mind, for instance. And, if this
is your threat model, I don't think there's any reason to feel compelled
to use SHA256; SHA1 might be perfectly adequate. |
|
|
| Back to top |
|
| David Wagner |
| Posted: Wed Dec 17, 2003 8:58 pm |
|
|
|
Guest
|
Paul Rubin wrote:
Quote: daw@taverner.cs.berkeley.edu (David Wagner) writes:
I don't recall what the FIPS says, but why should we care?
DSA is a perfectly good algorithm at key sizes above 1024 bits,
whatever the FIPS might or might not say.
Well, sure, but then it's not standards-conformant and won't
interoperate with a lot of the real-world software that's out there,
as Hendrik pointed out.
Lack of software support would be troubling, I agree. Is it
really true? Do people really write software that takes special
pains to bail out if your DSA key is larger than 1024 bits? Does
OpenSSL do this, for instance? If so, how disappointing.
(I don't think gpg does, for instance...)
As for standards-compliance for its own sake, I couldn't care less.
The standard's restriction to 1024 bits is totally arbitrary, and I
don't see why I should be bothered by non-compliance with such a lame
condition.
(I'm surprised the anti-export-control folks aren't advocating we
all use 1025 bit or longer DSA keys, as a form of symbolic protest
against such silliness.  |
|
|
| Back to top |
|
| Paul Rubin |
| Posted: Wed Dec 17, 2003 9:22 pm |
|
|
|
Guest
|
"Ivan Voras" <ivoras!@!geri.cc.fer.hr> writes:
Quote: As I understand it, PGP supports two public key systems: RSA and
Diffie-Hellman. Are they completely unrelated? Which is better (e.g.
ignoring brute-force, is a 1024bit DH keypair harder to break than 1024bit
RSA keypair?)
They're related but not identical. DH (actually El-Gamal) is
marginally harder to break at the same key size, but if you're really
worried about that, go to 2048 bits either way. EG is somewhat slower
for decryption, quite a bit slower for encryption, but much faster for
key generation. The main reason for switching over, however, was
hassles in the 1990's about the RSA patent. The patent expired in
2000 so both algorithms are public domain now. |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Wed Dec 17, 2003 9:49 pm |
|
|
|
Guest
|
Paul Rubin wrote:
Quote: They're related but not identical. DH (actually El-Gamal) is
marginally harder to break at the same key size, but if you're really
worried about that, go to 2048 bits either way. EG is somewhat slower
for decryption, quite a bit slower for encryption, but much faster for
key generation.
I guess this means that PGP does not generate new DH system parameters
for each key pair, but only a random private key and the corresponding
public key in some predefined field.
RSA-2048 key generation is faster than DH-2048 key generation if you
include the time it takes to generate the system parameters. (It is just
a matter of at most a few seconds computation time on modern computers
in either case anyway.) |
|
|
| Back to top |
|
| Paul Rubin |
| Posted: Wed Dec 17, 2003 9:55 pm |
|
|
|
Guest
|
Henrick Hellström <henrick.hellstrm@telia.com> writes:
Quote: I guess this means that PGP does not generate new DH system parameters
for each key pair, but only a random private key and the corresponding
public key in some predefined field.
Yes, that's correct.
Quote: RSA-2048 key generation is faster than DH-2048 key generation if you
include the time it takes to generate the system parameters. (It is
just a matter of at most a few seconds computation time on modern
computers in either case anyway.)
But it's unusual if not downright bizarre to generate new system
parameters every time you want to generate a DH key. |
|
|
| Back to top |
|
| Tom McCune |
| Posted: Wed Dec 17, 2003 10:03 pm |
|
|
|
Guest
|
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote in
news:7x1xr26f0q.fsf@ruckus.brouhaha.com:
Quote: They're related but not identical. DH (actually El-Gamal) is
marginally harder to break at the same key size, but if you're really
worried about that, go to 2048 bits either way. EG is somewhat slower
for decryption, quite a bit slower for encryption, but much faster for
key generation. The main reason for switching over, however, was
hassles in the 1990's about the RSA patent. The patent expired in
2000 so both algorithms are public domain now.
As you can see with my testing results at
http://www.mccune.cc/PGPpage2.htm#Speed
DH(EG) encryption is very much slower than RSA encryption.
DH(EG) decryption is about twice as fast as RSA decryption.
Unless you use canned primes (the default for PGP) for DH key generation,
RSA key generation is very much faster that DH(EG) key generation.
--
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc/PGP.htm |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Wed Dec 17, 2003 10:14 pm |
|
|
|
Guest
|
Paul Rubin wrote:
Quote: Henrick Hellström <henrick.hellstrm@telia.com> writes:
RSA-2048 key generation is faster than DH-2048 key generation if you
include the time it takes to generate the system parameters. (It is
just a matter of at most a few seconds computation time on modern
computers in either case anyway.)
But it's unusual if not downright bizarre to generate new system
parameters every time you want to generate a DH key.
Unusual, perhaps, but I don't think it is bizarre. By generating new
system parameters each time you will (or might, depending on the
algorithm I guess) make it harder to calculate the discrete logarithm of
several public keys in parallel. |
|
|
| Back to top |
|
| Paul Rubin |
| Posted: Wed Dec 17, 2003 10:17 pm |
|
|
|
Guest
|
Tom McCune <tom@DELETE_THISmccune.cc> writes:
Quote: DH(EG) encryption is very much slower than RSA encryption.
DH(EG) decryption is about twice as fast as RSA decryption.
Unless you use canned primes (the default for PGP) for DH key generation,
RSA key generation is very much faster that DH(EG) key generation.
It didn't occur to me that anyone generates a new field at keygen
time, or that the key format even included a way to specify the field.
GPG doesn't present the option of generating a new field when you
generate an EG key the normal way, though there might be some advanced
command that does it. There's really no reason to do it. If you're
paranoid enough to think that an attacker can break DLP over the
canned field, you ought to expect they can also break it over a newly
generated field. |
|
|
| Back to top |
|
| Paul Rubin |
| Posted: Wed Dec 17, 2003 10:18 pm |
|
|
|
Guest
|
Henrick Hellström <henrick.hellstrm@telia.com> writes:
Quote: Unusual, perhaps, but I don't think it is bizarre. By generating new
system parameters each time you will (or might, depending on the
algorithm I guess) make it harder to calculate the discrete logarithm
of several public keys in parallel.
If you have a real concern that somebody's going to do that, then use
a bigger field. |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Wed Dec 17, 2003 10:32 pm |
|
|
|
Guest
|
Paul Rubin wrote:
Quote: Henrick Hellström <henrick.hellstrm@telia.com> writes:
Unusual, perhaps, but I don't think it is bizarre. By generating new
system parameters each time you will (or might, depending on the
algorithm I guess) make it harder to calculate the discrete logarithm
of several public keys in parallel.
If you have a real concern that somebody's going to do that, then use
a bigger field.
That might not give you an optimal security/performance trade off, e.g.
if you are using the keys in TLS handshakes.
Furthermore, DSA keys cannot be larger than 1024 bits. I hope DSS will
be extended with DSA 2048/224 and DSA 3076/256, but it remains to be seen. |
|
|
| Back to top |
|
| |
Page 1 of 6 Goto page 1, 2, 3, 4, 5, 6 Next
All times are GMT - 5 Hours
The time now is Sun Sep 07, 2008 3:28 pm
|
|