• Registered: 2007-06-18
  • Posts: 111

Topic: SHA512 vs SHA256

Do to the way signatures are created, and the signing algorithm used (either RSA or DSA), SHA512 may not be better than SHA256.  Let me explain:

To use any algorithm above SHA1 (which is a 160 bits hash), you need to have a DSA2 or RSA signing key generated.  Old DSA style keys will always default to SHA1.

Second:
Due to the FIPS specification, even DSA2 key are limited to 256 bit hashes. 

Ive tried to explain some of the misconceptions here in this unfinished work.

http://ubuntuforums.org/showthread.php?t=687173

Although this work could be updated know that RSA is preferred over DSA, the principles discussed in this work still hold.  I encourage everyone seriously using GnuPG to take a look at this work.  It took me days to find and confirm this information with the GnuPG mailing list.  I wanted to take principles and examples I had seen vaguely discussed and distill them down to a level which everyone could understand.

  • From: Geneva
  • Registered: 2007-04-04
  • Posts: 1,040

Re: SHA512 vs SHA256

Ok, but there isen't any negative facts to use SHA512 than SHA256, no ?

the_glu's Website

  • Registered: 2007-06-18
  • Posts: 111

Re: SHA512 vs SHA256

The only negative facts by using SHA512 is that it takes longer to create the hashes (more than twice as long), and with DSA2 3092 bit keys (the longest keys you can make currently) - the 256 leftmost bits of the 512 bit hash product are taken to end up with a resultant 256 bit hash.  So hence you wasted processing time to end up with a 256 bit hash when simply computing a 256 bit hash would have been faster and ended up with a resultant that would be just as "secure" to collision. 

Again if using RSA signing, you can use SHA512 as well as SHA256 and respectively get 512 and 256 bit hashes.

A little off topic, but when SHA3 is named in 2010 or 2011, this entire topic will be a mute point, since the algorithm will be completely different than the classic SHA "family".

  • From: Geneva
  • Registered: 2007-04-04
  • Posts: 1,040

Re: SHA512 vs SHA256

Yep I know about SHA3.

About time :

time sha512sum firegpg.xpi
sha512sum firegpg.xpi  0,03s user 0,00s system 98% cpu 0,037 total

time sha256sum firegpg.xpi
sha256sum firegpg.xpi  0,01s user 0,00s system 20% cpu 0,033 total

Ok it's longer, but I don't think it's relay important for the user wink

the_glu's Website

  • Registered: 2007-06-18
  • Posts: 111

Re: SHA512 vs SHA256

Probably a valid point on most modern computers, however I'm just saying if you are using a DSA key or DSA2 key there needs to be a distinction.  Only DSA keys can use RIPEMD-160 or SHA1.  DSA2 keys can use all combinations, however you are not gaining anything with SHA512 since the resultant is rounded to 256 bits.  Only RSA keys can take full advantage of SHA512.  This may bother some users however is there really an advantage today of using SHA512 vs SHA256?  Not in my opinion as it stands today.

  • Registered: 2009-06-24
  • Posts: 2

Re: SHA512 vs SHA256

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Not to be the newbie comin' in, steppin' on other's "things" (dee eye see kay ess), I just wanted to post an interesting tidbit.

In DSA2, the length of the hash is determined by a value called q (or what qbits in keygen.c becomes in the DSA2 key).  Truncation to a specific number of bits occurs because the algorithm's output is longer than q.  My key has it's q set to 512 to fully accomidate the SHA512 hash output.  I tested this by signing a message using SHA256 and SHA512 explicitly with seperate keys, one with a q of 256 and another with a q of 512, and the larger q had the larger signature block output (and it would refuse to use anything but SHA512).

Just to let you know, you cannot make this modification (to my knowledge) in your key unless you modify the logic in the function that prepares DSA2 key generation in keygen.c that selects the qbits value.  Though a modified GnuPG is NOT required to utilize a key that has a q that's larger than 256, one is required to generate a key with that value.  Simply using an unmodified GnuPG to check my signature on this message is proof enough that the key, not GnuPG programming, limits the hash size.

This is really only useful if you want to use a DSA2 key larger than 3072 bits.  For example, the DSA2 key that signed this message is 0x5E6DDEF6, a 4096 bit DSA2 sub key of 0x491362F1.

Let me know if you want more info...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 - *.:{Hack.I.T Edition r0001}:.*

iJ4EAREKAAYFAkpCbhcACgkQ+7Rzy15t3vbrSAH8DE4ycQT4eLVzdueFakWd2nzG
jMn/eh+3y7L8++No8HaO3RDZBpl052BHdQ9V8XeO0cnDZ0YKp4D5Ju9k2nSEggH8
D10U9+vMSmiDu+XbPaYf1HFexEDjbZnq2qbY4L67YlI/FnRENUpMTOR4FPRpxMTm
CRed+k6DSFhItEKJ4iQZMA==
=j++4
-----END PGP SIGNATURE-----

  • Registered: 2007-06-18
  • Posts: 111

Re: SHA512 vs SHA256

Although I know you can modify the q value within the gpg source code, this would then we against the standards as set by RFC8440.

  • Registered: 2009-06-24
  • Posts: 2

Re: SHA512 vs SHA256

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Oh well... :\

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 - *.:{Hack.I.T Edition r0001}:.*

iJ4EAREKAAYFAkqZhQMACgkQ+7Rzy15t3vYLoQH/bxTWH6ZckRvOBFMx/3iIobPQ
FJJPYN7HeV8VVq6lUAbZE4AfMKkw2ufoPZHZDR8YeKTwJoi/3euC/JX/3V1rfwH7
BVfcc4dtXD9pFUdqK00GZlSSI0+ptaMQJBrqmT5LX2HRnFOVEGNe52cgTAbXjjsB
hgS0Bj6Uj1IrsuuNbuFThw==
=rkvz
-----END PGP SIGNATURE-----