----- Original Message ----- From: "Damian Gerow" <dgerow@afflictions.org> To: <cypherpunks@einstein.ssz.com> Sent: Friday, May 23, 2003 9:30 AM Subject: RSA/DSA questions It depends on what is meant by RSA signatures, 9796 is effectively dead, RSA PKCS 1 v1.5 is certainly no longer competitive securitywise, PSS is exceptional, and those are the first 3 that come to mind. Going from this I would recommend DSA above 9796, and PKCS #1 v1.5. DSA vs PSS though is significantly more complicated. Both DSA and PSS rely on the randomness of the RNG (contrary to popular belief Windows is not inherently bad at RNGs it's just that it doesn't come with a good one). Collisions in PSS are less critical than in DSA (an output collision reveals only that the RNG and hash spit out the same values twice), but PSS suffers from IFPs weakness versus DLP, this stems from several solid proofs that IFP (integer factoring) can be no harder than DLP (integer discrete logarithm), and may be mitigated if you believe that DLP and IFP will reduce to the same problem (the current algorithms indicate this may in deed be the case), but in the immediate future DLP is inherently more difficult than IFP. PSS gains though in that without breaking any standard that I'm aware of the modulus can be extended indefinitely whereas DSA1 (don't recall DSA2 immediately having such an issue, but I don't recall DSA2 specifics immediately) has a standard limit of 1024-bit (the maths scales indefinitely though). The other thing to consider is speed, since you're using this for SSH, it may be important that the server be capable of more connections per time, in which case DSA is the clear winner (RSA wins for verification though for a typcial implementation).
From most perspectives the two algorithms simply target different positions, neither one is inherently more secure than the other. Personally I have an affinity for DSA, but that is a personal preference without any fundamental reason. Pointes to the information itself is out of my immediate reach, I just upgraded my computer and have yet to completely restore the crypto data. Joseph Ashwood
Trust Laboratories Changing Software Development http://www.trustlaboratories.com