Bob Mearns wrote:

> >> I'm looking to generate a short digital signature, perhaps 192

> >> bits or so, using an asymmetrical algorithm. DSA seems to

> >> have 320 bit signatures regardless of the key size used. Is

> >> this really the case, or am I missing something? Ignoring for

> >> the moment the wisdom of using signatures this short, is there

> >> a way I can accomplish my goal of ~192 bit signatures?

I just thought that it should be noted, the reason the DSA signatures

are locked at 320 bits regardless of the key used is because the DSA

standard uses the SHA-1 hash function to first compute the hash of the

message. SHA-1 produces a fixed size hash of 160 bits. Because the

hash size is fixed, the DSA specifies that a 160 bit prime be chosen at

random during the key generation. During the signing process, two

values are computed, r and s, each of these is calculated in an equation

that is mod q. Therefore r and s can never exceed more than 160 bits,

regardless of the size of key used. Since r and s comprise the

signature, these two 160-bit values combine to form a signature that is

320 bits in length. For more information on the algorithm and how it

works, please see:

http://en.wikipedia.org/wiki/Digital_Signature_AlgorithmA new standard is currently under development (Do a search on: FIPS

186-3) which specifies the use of longer length hashes, including

SHA-224, SHA-256, SHA-384, and SHA-512 as a hash function, therefore q

would be of size 224, 256, 384, and 512 bits respectively. The

signature sizes would be double the size of q for each case.

To have a signature length of 192 bits would require q be 192/2 or 96

bits long. This is considerably smaller than the length of even MD5

hashes, and therefore would not provide a great deal of security.

Jason

______________________________________________________________________

OpenSSL Project

http://www.openssl.orgUser Support Mailing List

[hidden email]
Automated List Manager

[hidden email]