RSA/DSA questions

Joseph Ashwood ashwood at msn.com
Fri May 23 16:25:40 PDT 2003 

----- Original Message ----- 
From: "Damian Gerow" <dgerow at afflictions.org>
To: <cypherpunks at einstein.ssz.com>
Sent: Friday, May 23, 2003 9:30 AM
Subject:  RSA/DSA questions



It depends on what is meant by RSA signatures, 9796 is effectively dead, RSA
PKCS 1 v1.5 is certainly no longer competitive securitywise, PSS is
exceptional, and those are the first 3 that come to mind. Going from this I
would recommend DSA above 9796, and PKCS #1 v1.5. DSA vs PSS though is
significantly more complicated. Both DSA and PSS rely on the randomness of
the RNG (contrary to popular belief Windows is not inherently bad at RNGs
it's just that it doesn't come with a good one). Collisions in PSS are less
critical than in DSA (an output collision reveals only that the RNG and hash
spit out the same values twice), but PSS suffers from IFPs weakness versus
DLP, this stems from several solid proofs that IFP (integer factoring) can
be no harder than DLP (integer discrete logarithm), and may be mitigated if
you believe that DLP and IFP will reduce to the same problem (the current
algorithms indicate this may in deed be the case), but in the immediate
future DLP is inherently more difficult than IFP. PSS gains though in that
without breaking any standard that I'm aware of the modulus can be extended
indefinitely whereas DSA1 (don't recall DSA2 immediately having such an
issue, but I don't recall DSA2 specifics immediately) has a standard limit
of 1024-bit (the maths scales indefinitely though). The other thing to
consider is speed, since you're using this for SSH, it may be important that
the server be capable of more connections per time, in which case DSA is the
clear winner (RSA wins for verification though for a typcial
implementation).

>From most perspectives the two algorithms simply target different positions,
neither one is inherently more secure than the other. Personally I have an
affinity for DSA, but that is a personal preference without any fundamental
reason. Pointes to the information itself is out of my immediate reach, I
just upgraded my computer and have yet to completely restore the crypto
data.
                Joseph Ashwood

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com

More information about the cypherpunks-legacy mailing list