The most serious criticisms of DSS involve its security. DSS was
originally proposed with a fixed 512-bit key size. After much criticism
that this is not secure enough, NIST revised DSS to allow key sizes up
to 1024 bits. More critical, however, is the fact that DSS has not been
around long enough to withstand repeated attempts to break it; although
the discrete log problem is old, the particular form of the problem
used in DSS was first proposed for cryptographic use in 1989 by Schnorr
and has not received much public study. In general, any new
cryptosystem could have serious flaws that are only discovered after
years of scrutiny by cryptographers. Indeed this has happened many
times in the past. RSA has withstood over 15 years of vigorous
examination for weaknesses. In the absence of mathematical proofs of
security, nothing builds confidence in a cryptosystem like sustained
attempts to crack it. Although DSS may well turn out to be a strong
cryptosystem, its relatively short history will leave doubts for years
to come.
Some researchers warned about the existence of ``trapdoor'' primes in DSS, which could enable a key to be easily broken. These trapdoor primes are relatively rare however, and are easily avoided if proper key generation procedures are followed.