Denning reply to CPSR

[Dave Farber <farber () central cis upenn edu>]

------ Forwarded Message

Date: Tue, 18 May 93 16:54:22 EDT
From: denning () cs cosc georgetown edu (Dorothy Denning)
Subject: Re: Denning on NIST/NSA Revelations (Sobel, Denning, Rotenberg)

In response to David Sobel's statement about NIST and the DSS, I wrote
in RISKS-14.60:

  ... NIST issued the DSS proposal along with a public call for comments 
  as part of their normal practice with proposed standards.  The
  community responded, and NIST promptly addressed the security
  concerns.  Among other things, the DSS now accommodates longer keys
  (up to 1024 bits).  As a result of the revisions, the DSS is now
  considered to be just as strong as RSA.
        
In RISKS 4.62, Marc Rotenberg responded:

  Denning has to be kidding.  The comments on the proposed DSS were
  uniformly critical.  Both Marty Hellman and Ron Rivest questioned the
  desirability of the proposed standard.  

  One of the reasons for the concern was the secrecy surrounding the
  development of the standard.  The documents disclosed by NIST and NSA
  to CPSR make clear that NSA used its classification authority to
  frustrate the attempt of even NIST's scientists to assess the
  candidate algorithm.

The DSS is similar to a scheme by El Gamal, which was presented at
CRYPTO 84 and subsequently published in the IEEE Trans. of Information
Theory (July 85).  It is even closer to a scheme by Schnorr, which was
presented at CRYPTO 89.  The DSS is not classified and the basic
approach has been under scrutiny by the crypto community since 84.  All of
the cryptographers that I have spoken with at NIST have made the assessment
that the DSS (as revised in response to the comments by Hellman, Rivest,
and others) is at least as strong as RSA for comparable key lengths.
I am unaware of any evidence to the contrary.

Also in RISKS-14.62, Bill Murray wrote

  While it may be true that DSS with a 1024 bit modulus is as secure
  for digital signatures as RSA, it does not meet either the
  congressional mandate or the requirement.  The congressional mandate
  was for a public-key standard, not for a digital signature standard.
  The requirement is for a mechanism for key exchange.

According to NIST, there was no Congressional mandate for a public-key
standard.  Congress did give NIST the charge to develop standards for
sensitive, unclassified information, but it left open to NIST exactly what
those standards should be.  On its own initiative, NIST issued a solicitation
for a public-key standard in the Federal Register, June 30, 1982.  My
understanding is that the solicitation was very broad and did not identify
exactly what functions such a standard would need to provide.  Several years
later NIST, at their discretion, proposed the DSS.

In retrospect, we can now look back and see how the DSS fits in with Clipper
and Capstone.  The result will be a complete package that has encryption,
signatures, and key management/exchange. Thus, the advantage of RSA over the
DSS in its ability to do key exchange disappears.

It is very easy to be critical of a process when you are looking at it from
the "stands" instead of the "court" and from hindsight rather than from
current action and concerns.

Dorothy Denning
------ End of Forwarded Message