Interesting People mailing list archives
Denning reply to CPSR
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 20 May 1993 09:24:46 -0500
------ Forwarded Message Date: Tue, 18 May 93 16:54:22 EDT From: denning () cs cosc georgetown edu (Dorothy Denning) Subject: Re: Denning on NIST/NSA Revelations (Sobel, Denning, Rotenberg) In response to David Sobel's statement about NIST and the DSS, I wrote in RISKS-14.60: ... NIST issued the DSS proposal along with a public call for comments as part of their normal practice with proposed standards. The community responded, and NIST promptly addressed the security concerns. Among other things, the DSS now accommodates longer keys (up to 1024 bits). As a result of the revisions, the DSS is now considered to be just as strong as RSA. In RISKS 4.62, Marc Rotenberg responded: Denning has to be kidding. The comments on the proposed DSS were uniformly critical. Both Marty Hellman and Ron Rivest questioned the desirability of the proposed standard. One of the reasons for the concern was the secrecy surrounding the development of the standard. The documents disclosed by NIST and NSA to CPSR make clear that NSA used its classification authority to frustrate the attempt of even NIST's scientists to assess the candidate algorithm. The DSS is similar to a scheme by El Gamal, which was presented at CRYPTO 84 and subsequently published in the IEEE Trans. of Information Theory (July 85). It is even closer to a scheme by Schnorr, which was presented at CRYPTO 89. The DSS is not classified and the basic approach has been under scrutiny by the crypto community since 84. All of the cryptographers that I have spoken with at NIST have made the assessment that the DSS (as revised in response to the comments by Hellman, Rivest, and others) is at least as strong as RSA for comparable key lengths. I am unaware of any evidence to the contrary. Also in RISKS-14.62, Bill Murray wrote While it may be true that DSS with a 1024 bit modulus is as secure for digital signatures as RSA, it does not meet either the congressional mandate or the requirement. The congressional mandate was for a public-key standard, not for a digital signature standard. The requirement is for a mechanism for key exchange. According to NIST, there was no Congressional mandate for a public-key standard. Congress did give NIST the charge to develop standards for sensitive, unclassified information, but it left open to NIST exactly what those standards should be. On its own initiative, NIST issued a solicitation for a public-key standard in the Federal Register, June 30, 1982. My understanding is that the solicitation was very broad and did not identify exactly what functions such a standard would need to provide. Several years later NIST, at their discretion, proposed the DSS. In retrospect, we can now look back and see how the DSS fits in with Clipper and Capstone. The result will be a complete package that has encryption, signatures, and key management/exchange. Thus, the advantage of RSA over the DSS in its ability to do key exchange disappears. It is very easy to be critical of a process when you are looking at it from the "stands" instead of the "court" and from hindsight rather than from current action and concerns. Dorothy Denning ------ End of Forwarded Message
Current thread:
- Denning reply to CPSR Dave Farber (May 20)