On Wed, Oct 14, 2009 at 10:43:48PM -0400, Jerry Leichter wrote:
> If the constraints elsewhere in the system limit the number of bits of  
> signature you can transfer, you're stuck.  Presumably over time you'd  
> want to go to a more bit-efficient signature scheme, perhaps using  
> ECC.

Even plain DSA would be much more space efficient on the signature
side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
1024 bit RSA key, and the signatures would be half the size. And NIST
allows (2048,224) DSA parameters as well, if saving an extra 8 bytes
is really that important.

Given that they are attempted to optimize for minimal packet size, the
choice of RSA for signatures actually seems quite bizarre.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to