|
Science Forum Index » Cryptography Forum » RSA vs DH
Page 2 of 6 Goto page Previous 1, 2, 3, 4, 5, 6 Next
|
| Author |
Message |
| Roger Schlafly |
 Posted: Wed Dec 17, 2003 11:02 pm |
|
|
|
Guest
|
"Paul Rubin" <http://phr.cx@NOSPAM.invalid> wrote
Quote: Unless you use canned primes (the default for PGP) for DH key
generation,
RSA key generation is very much faster that DH(EG) key generation.
It didn't occur to me that anyone generates a new field at keygen
time, or that the key format even included a way to specify the field.
.... There's really no reason to do it.
I agree. Using canned primes is fine. If you are really paranoid,
you could occasionally change the field, but on average DH
key generation will still be a whole lot faster than RSA. |
|
|
| Back to top |
|
| Roger Schlafly |
| Posted: Wed Dec 17, 2003 11:04 pm |
|
|
|
Guest
|
"Henrick Hellström" <henrick.hellstrm@telia.com> wrote
Quote: Furthermore, DSA keys cannot be larger than 1024 bits.
DSA keys can be as large as you like, according to IEEE-1363
and other standards. |
|
|
| Back to top |
|
| Paul Rubin |
| Posted: Wed Dec 17, 2003 11:22 pm |
|
|
|
Guest
|
daw@taverner.cs.berkeley.edu (David Wagner) writes:
Quote: Furthermore, DSA keys cannot be larger than 1024 bits.
Oh, don't be silly. Of course they can.
I thought FIPS pub whatever said 512-1024 bits. Although you could
make the big field larger anyway, the small field is still normally
160 bits, so you might not gain from making the big field bigger. |
|
|
| Back to top |
|
| Tom St Denis |
| Posted: Wed Dec 17, 2003 11:34 pm |
|
|
|
Guest
|
"Paul Rubin" <http://phr.cx@NOSPAM.invalid> wrote in message
news:7x3cbi4uw0.fsf@ruckus.brouhaha.com...
Quote: daw@taverner.cs.berkeley.edu (David Wagner) writes:
Furthermore, DSA keys cannot be larger than 1024 bits.
Oh, don't be silly. Of course they can.
I thought FIPS pub whatever said 512-1024 bits. Although you could
make the big field larger anyway, the small field is still normally
160 bits, so you might not gain from making the big field bigger.
I think what David meant was the DS algorithm can work for larger
fields/groups just as easily. True that DSS specifies upto 1kbit fields
with 160-bit groups...
Tom |
|
|
| Back to top |
|
| Roger Schlafly |
| Posted: Wed Dec 17, 2003 11:35 pm |
|
|
|
Guest
|
"Paul Rubin" <http://phr.cx@NOSPAM.invalid> wrote
Quote: I thought FIPS pub whatever said 512-1024 bits. Although you could
make the big field larger anyway, the small field is still normally
160 bits, so you might not gain from making the big field bigger.
You can make both parameters as large as you like. See IEEE-1363.
The largest discrete logs in a non-special field that anyone has done
were only about 400 bits, so 1024 bits is plenty secure for most
purposes anyway. |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Wed Dec 17, 2003 11:52 pm |
|
|
|
Guest
|
David Wagner wrote:
Quote: Henrick Hellström wrote:
That might not give you an optimal security/performance trade off, e.g.
if you are using the keys in TLS handshakes.
Really? That somehow seems hard to believe. I would have expected
the exact opposite. Do you have any calculations to back this claim up?
Why do you find that hard to believe? Assume the TLS server has a X.509
certificate with a DSA key:
Case #1. The key belongs to a pre-defined field,
Case #2. The key belongs to a field specific to that key.
For generic software, the performance will be (practically) the same in
both cases. For some software Case #1 will be slower (the params have to
be established through certificate chaining), and for other software it
will be slightly faster (field specific optimization).
If the size of the DSA key is the same in both case #1 and case #2, the
latter will on average be more secure (given that the system parameter
and key generation process is secure). Let 1024+x be the least number of
bits the key in #1 has to have to be as secure as a 1024 bit key in #2.
The x additional bits in #1 entail a performance penalty.
Furthermore, note that the purpose of DSA keys in TLS is only to sign
the ephemeral key exchange messages. A TLS session will not be
compromised if the DSA key is compromised only some time after the
session handshake. I find it highly unlikely that anyone is able to
calculate the discrete logarithm of 1024/160 bit numbers within a year
using contemporary hardware. This might be possible by the year 2010.
The Ephemeral Diffie-Hellman keys that are used during the handshake are
a different matter. Getting Perfect Forward Secrecy until 2030 instead
of 2010 might be worth the ~400% performance hit associated with using
2048 bit DH instead of 1024 bit DH over TLS and 56 kbit/s TCP/IP.
Quote: Furthermore, DSA keys cannot be larger than 1024 bits.
Oh, don't be silly. Of course they can.
No:
http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf
Of course 1024 is not a theoretical or a computational limit, but if you
toss together a X.509 certificate with a DSA-3072/256 key and a
DSA-SHA256 signature you will become painfully aware that there isn't
any software that will recognize neither the key nor the signature. The
standard is in this sense setting a practical limit. |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Wed Dec 17, 2003 11:57 pm |
|
|
|
Guest
|
Tom St Denis wrote:
Quote: "Paul Rubin" <http://phr.cx@NOSPAM.invalid> wrote in message
news:7x3cbi4uw0.fsf@ruckus.brouhaha.com...
I thought FIPS pub whatever said 512-1024 bits. Although you could
make the big field larger anyway, the small field is still normally
160 bits, so you might not gain from making the big field bigger.
I think what David meant was the DS algorithm can work for larger
fields/groups just as easily. True that DSS specifies upto 1kbit fields
with 160-bit groups...
That is probably correct, but it was my post he replied to, and I was
talking about DSS.  |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Thu Dec 18, 2003 12:00 am |
|
|
|
Guest
|
Roger Schlafly wrote:
Quote: "Henrick Hellström" <henrick.hellstrm@telia.com> wrote
Furthermore, DSA keys cannot be larger than 1024 bits.
DSA keys can be as large as you like, according to IEEE-1363
and other standards.
The algorithm specified by IEEE-1363 is, strictly speaking, not DSA
since DSA is specified by DSS (FIPS-186), but "DLSSA-DSA" iirc. |
|
|
| Back to top |
|
| Paul Rubin |
| Posted: Thu Dec 18, 2003 1:17 am |
|
|
|
Guest
|
daw@taverner.cs.berkeley.edu (David Wagner) writes:
Quote: I don't recall what the FIPS says, but why should we care?
DSA is a perfectly good algorithm at key sizes above 1024 bits,
whatever the FIPS might or might not say.
Well, sure, but then it's not standards-conformant and won't
interoperate with a lot of the real-world software that's out there,
as Hendrik pointed out.
Quote: Although you could
make the big field larger anyway, the small field is still normally
160 bits, so you might not gain from making the big field bigger.
Well, of course you'd increase the size of q along with p. The idea is
to make the workfactor of generic attacks on the subgroup (about sqrt(q)
steps) roughly matches the workfactor of number-theoretic attacks on Z/pZ
(subexponential in p steps). It's just like Diffie-Hellman with short
exponents.
Other people seem to want to replace the g^x mod p mod q step with a
hash function--if you do that, then you need to specify a particular
hash function for each size of q that you want to use. |
|
|
| Back to top |
|
| Paul Crowley |
| Posted: Thu Dec 18, 2003 5:01 am |
|
|
|
Guest
|
daw@taverner.cs.berkeley.edu (David Wagner) writes:
Quote: Furthermore, DSA keys cannot be larger than 1024 bits.
Oh, don't be silly. Of course they can.
This is news to me. Of course the math supports arbitrarily large
keys, but I thought the standards didn't. And the implementations of
DSA I've seen make the same assumption.
--
__ Paul Crowley
\/ o\ sig@paul.ciphergoth.org
/\__/ http://www.ciphergoth.org/ |
|
|
| Back to top |
|
| David Wagner |
| Posted: Thu Dec 18, 2003 7:24 am |
|
|
|
Guest
|
Henrick Hellström wrote:
Quote: David Wagner wrote:
It's when you generate a new key for every transaction that it makes
a difference whether you generate new parameters or not. In this
case, it is much better not to generate new parameters; the optimal
security/performance trade off (I would expect) will be to re-use
parameters and just generate a new key.
Depends. The parameters can be generated and stacked in idle time. Very
few (or rather no) servers use 100% of the CPU all of the time.
Ok. If CPU cycles for key generation are pretty cheap or nearly
unlimited, I agree. It's when they're tightly constrained that it's
better to spend that idle time on an exponentiation modulo a larger prime
rather than on generating a new small prime. (Remember that key generation
involves an exponentiation.) |
|
|
| Back to top |
|
| David Wagner |
| Posted: Thu Dec 18, 2003 7:25 am |
|
|
|
Guest
|
DJohn37050 wrote:
Quote: Also, if you gen your own DP, the other guy needs to ensure they are kosher,
Does he? If the signer is bound by anything signed by her key, then
she has an incentive to make sure they are kosher. |
|
|
| Back to top |
|
| Tom McCune |
| Posted: Thu Dec 18, 2003 7:27 am |
|
|
|
Guest
|
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote in
news:7xzndqddc6.fsf@ruckus.brouhaha.com:
Quote: It didn't occur to me that anyone generates a new field at keygen
time, or that the key format even included a way to specify the field.
GPG doesn't present the option of generating a new field when you
generate an EG key the normal way, though there might be some advanced
command that does it. There's really no reason to do it. If you're
paranoid enough to think that an attacker can break DLP over the
canned field, you ought to expect they can also break it over a newly
generated field.
On the other hand, the typical individual user will generate a new DH key
less than yearly, and will use a reasonably sized key, so the extra time is
pretty meaningless.
--
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc/PGP.htm |
|
|
| Back to top |
|
| DJohn37050 |
| Posted: Thu Dec 18, 2003 8:39 am |
|
|
|
Guest
|
NIST is revising X9.30 DSA to allow for longer key (p) lengths in 5 security
levels and q gets to be longer also. You also use the longer hashes.
Also, if you gen your own DP, the other guy needs to ensure they are kosher,
which takes some time.
Don Johnson |
|
|
| Back to top |
|
| Henrick Hellström |
| Posted: Thu Dec 18, 2003 11:10 am |
|
|
|
Guest
|
David Wagner wrote:
Quote: It's when you generate a new key for every transaction that it makes
a difference whether you generate new parameters or not. In this
case, it is much better not to generate new parameters; the optimal
security/performance trade off (I would expect) will be to re-use
parameters and just generate a new key.
Depends. The parameters can be generated and stacked in idle time. Very
few (or rather no) servers use 100% of the CPU all of the time. |
|
|
| Back to top |
|
| |
