Why are DSS keys significantly smaller than DH keys?
Clearly, if DH keys can be up to 4,096 bits while DSS keys can only be 1,024-bits then there is a serious disparity between the strength offered by these two types of keys. An initial thought was that DSS keys may offer more security by combining both ElGamal and Schnorr signature schemes but this is untrue however as breaking ElGamal clearly breaks DSS. A 1,024-bit DSS key appears far easier to break than a DH key of greater length. This is indeed so; DH and DSS are based on the same underlying mathematical theory – a key of 1,024-bits is inherently easier to break than a 4,096-bit key. So, why the contrast? Well, firstly, PGP simply implements the Digital Signature Standard as per [FIPS186-1]. DSS is the de facto standard for digital signatures, and PGP implements DSS to the maximum strength possible within the bounds of the standard (e.g. with p up to 1024-bits). An implementation of “DSS” with p greater than 1024-bits would no longer conform to the standard. Secondly, let’s look at