How secure is GnuPG

David Shaw
Wed Jul 24 03:07:01 2002

On Tue, Jul 23, 2002 at 05:27:31PM -0400, Daniel Carrera wrote:
> > RSA signatures get larger in proportion to the size of the key.  If
> > you are going to sign emails and such, be warned that a really big
> > signing key is going to mean one huge signature at the bottom.  DSA
> > signatures are very small.
> Do you suggest using DSA for signatures?
> Is a 1024-bit DSA comparible, security-wise, to a 1024-bit RSA or ElGamal?

DSA and ElGamal are based on the same underlying hard problem, so
1024-bit DSA and 1024-bit ElGamal are very similar security-wise.
Note that DSA doesn't encrypt and ElGamal doesn't (usually) sign.
They work well as a pair of keys.

> Is DSA a symmetric algorithm or is it asymmetric like RSA?  I ask because
> I know that symmetric algorithms can achieve the same security for much
> smaller keys.

DSA is asymmetric.

> > But seriously - forget all that.  The real question to ask yourself is
> > *what do you want to do?*  The overwhelming majority of the time,
> > people end up with a DSA signing key (1024, the maximum) and an
> > ElGamal encryption key (2048-4096).  That is a good all-round safe
> > choice for many uses (email being the most common example).
> Why is 1024 the maximum for DSA?  That's interesting.

That's the spec.  I believe it was chosen to be somewhat in balance
(with regards to strength) with the 160-bit hash that DSA also uses.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson