Differences between DSA and RSA Algorithms

Question

Despite having learned much related to RSA and DSA, I cannot understand their differences. Can anyone tell me at least 4-5 differences between these algorithms? I have just used them for two-factor authentication (Linux OpenSSL).

Answer 1

If you're the user of some software using cryptography under the hood, knowing the mathematics of how RSA and DSA work won't help you. What you need to know is what configurations of your software are good for the way you use it, and the choice of algorithm is often not the most important factor, although between RSA and DSA the choice today is usually ECDSA, or failing that RSA over plain DSA.

RSA and DSA are both families of digital signature algorithms. A digital signature algorithm is a way to authenticate a message. When a message has a valid digital signature, it must have been signed by the holder of the private key that was used to sign. They are both instances of public-key cryptography: only the signer knows the private key, but the public key which is used to verify a signature can be known to everyone.

Today there are four families of digital signature algorithms in common use for computer users: RSA, DSA, ECDSA and EdDSA. The TLS protocol which powers most secure channels on the Internet can use RSA, DSA or ECDSA. SSH (specifically its most common implementation OpenSSH) can use RSA, ECDSA or EdDSA (older versions could use DSA). DSA has fallen into disuse; it isn't broken, but its performance is very poor compared to ECDSA for the same security level. EdDSA is still very new and not widely supported. RSA is on a slow path to obsolescence because it struggles to cope with the required increases of key sizes as computing power for cracking keys increases, but it still has a very broad installed base, and while it is much slower than ECDSA for signature generation, it is faster for verification.

Quantum cryptanalysis may come and force all these algorithms out, but for the time being it's still a research topic and nobody knows what post-quantum cryptography might end up looking like. There's an ongoing competition to find good algorithms that resist quantum cryptanalysis as it's currently thought to work.

If you're still using DSA, consider migrating to ECDSA. You're paying extra CPU power and using code that is probably not getting as much scrutiny these days. Don't migrate to any of the post-quantum algorithms because they haven't been studied much yet, and for all we know they'll be broken as soon as a cryptographer who isn't their author looks at them.

The security of RSA relies on the difficulty of the factoring problem, i.e. given only a product of two integers $p q$ the difficulty of finding $p$ and $q$ (with $p$ and $q$ chosen to make the problem difficult, i.e. being primes or at least probable primes). The security of DSA relies on the difficulty of the discrete logarithm problem, i.e. given $n$, $g$ and $y$ finding $x$ such that $g^x = y \bmod n$ (with $n$ and $g$ chosen to make the problem difficult). ECDSA and EdDSA also rely on the discrete logarithm problem, but on elliptic curves instead of $\mathbb{Z}/n\mathbb{Z}$.

There is also a family of public-key encryption algorithms called RSA. It uses the same mathematical problem under the hood, with different constructions on top. DSA does not have a corresponding encryption scheme in widespread use. ECIES is a standard for encryption using elliptic curve cryptography which can be thought of as a parallel to ECDSA, but it's markedly less common. The Edwards curves that power EdDSA can also be used for public-key encryption but I'm not aware of a standard for that.

Answer 2

Some differences between RSA and DSA (ignoring the SSL aspect of the question)

• The hardness of RSA is based on the difficulty of integer factorization in $\Bbb N$; the hardness of DSA is based on the difficulty of the discrete logarithm in $\Bbb Z_p^*$. That's quite different mathematical problems, no reduction from one to the other is known.
• RSA is a family of cryptosystems with various functionalities, while DSA is an individual cryptosystem providing signature as appendix (that is, the signature is added to the unmodified message). The RSA family has signature as appendix (e.g. RSASSA-PSS), other forms of signature, encryption (e.g. RSAES-OAEP), key exchange, and insecure textbook versions. But similar extra functionalities are provided by cousins of DSA also based on the discrete logarithm in $\Bbb Z_p^*$, making that difference between family and individual cryptosystem purely semantic.
• At usual and comparable security levels
  • The public-key operation of RSA (signature verification or encryption) can be hundreds times less compute-intensive than the public-key operation of DSA (signature verification). That makes RSA a good choice for digital certificates (generated once, verified sometime billion times), and signature verification or encryption by low-power devices.
  • The private-key operation of RSA (signature generation or decryption) is several times more compute-intensive than the private-key operation of DSA (signature generation).
  • A DSA signature is several times more compact than an RSA signature with appendix can be (on the other hand, RSA signature with message recovery often leads to slightly more compact messages than DSA).
• The speed of DSA, and its public key size, can be improved by using an Elliptic Curve group rather than $\Bbb Z_p^*$ (reducing the performance disadvantage for public-key operation compared RSA, and widening the advantage for private-key operation); that's ECDSA, EdDSA... There's no such option for RSA.
• Failure of the RNG used in DSA (and ECDSA, but not EdDSA) for each signature can realistically lead to leak of the private key from a few signature, which is a total break. That failure mode does not exist with RSA signature, where failure of the RNG used for signature (if any) typically leads only to existential forgery with little practical consequence.

Answer 3

Most importantly Rivest Shamir Adleman (RSA) and Digital Signature Algorithm (DSA) fulfill entirely different cryptographic purposes but have some functional similarities such as they are both public key based.

RSAs intended purpose is a public private key cryptosystem for encrypting data. DSAs intended purpose is data signing or data authenticity.

Incidentally both have a key generation process but RSA enciphers data with its key (it encrypts it) while DSA "signs" data that is it produces.

With DSA a cryptographic hash (usually SHA-2) is calculated that is then encrypted with the DSA private key producing an enciphered code. Validating then requires generating a hash and comparing it to the plain text hash by deciphering it with the public key which proves the origin of the data must have the public keys corresponding private key.

RSA as defined is a full cryptosystem but in practice its used as part of a larger protocol typically to facilitate public key infrastructure PKI such as TLS or PKCS 1 because RSA requires careful consideration of its parameters. Further RSA is slow so whether it can be used for data encryption its typically just used to encrypt session keys which are symmetric (shared) along with protocol negotiation that ensures those keys were secure and that proves the authenticity of the exchange.