Plain Elgamal keys

Werner Koch
Sat, 4 Sep 1999 11:58:36 +0200

Maitre Jedi Yoda <> writes:

> I don't realy understand the FAQ about the key-size.
> If I usea plain Elgamal key what (an why) size should I chose?
> Is Plain Elgamal a complete alternative to RSA ?
Yes, but DSA/Elgamal is better. It does not make sense to use a signing key of more than 1024 bits as the probability of breaking this one is believed to be even to the one of breaking a 160 bit hash. And we don't have a really greate hash algorithm today. I know that the NSA is working on one ... bit they didn't comment on when they will release this peace of work - and then we need some time for the academic cryptographers to scrutinizes this algorithm, so that we don't have SHA-0 problem. Well, it may take some years. Combining differen hash algorithms to yield a larger disgest may be a way, but there is not much research on this issue and it may make the hash weaker. I really suggest to stick to DSA/ElGamal for now. BTW, PGP is not able to handle these keys nor to create them. -- Werner Koch at keyid 621CC013