On Sep 23, 2008, at 11:32 PM, Kevin Hilton wrote:
Robert can probably give a better explanation that I, however with 3072 DSA signing keys, the SHA512 and SHA256 algorithms "functionally" produce the same length hash since the lower 256 bits are dropped as per the FIPS specification. I've often wondered the consequences of such an action -- whether this makes the chance of a collision higher or equal in comparing the SHA512 modified hash product to the SHA256 hash product. Perhaps someone could elaborate on this.
In a perfect world, SHA512 truncated to 256 bits is exactly as strong as SHA256. We don't, of course, live in a perfect world. However, we're close enough in this case to treat the two as interchangeable in a practical world. This is what NIST did when specifying the new DSA algorithm in FIPS-186-3. They note that a 3072-bit DSA key needs a 256-bit hash, but that any hash larger than necessary can be truncated to fit. OpenPGP follows that spec, and so GPG will happily chop SHA512 to fit.
David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users