Using ELG sign and encrypt key

David Shaw
Fri Jun 7 22:44:02 2002

On Fri, Jun 07, 2002 at 08:06:59PM +0000, Brian M. Carlson wrote:
> On Thu, Jun 06, 2002 at 11:01:37PM +0200, Werner Koch wrote:
> > On Thu, 6 Jun 2002 14:58:34 -0700, David Pic=F3n =C1lvarez said:
> >=20
> > > When I created my new gpg key, I decided to use ElGamal sign and en=
> > > key, because it permits having a 4096 signature key, and I thought =
that gave
> > > it more security. However, I've been reading the archives of this m=
> > > lists, and it is said that using the same key for signing and encry=
ption is
> > > NOT a good idea. Could someone explain why or point me to a relevan=
> > > resource? Should I go back to using my DSA/ELG key instead?
> >=20
> > Yes, there are only 28 key ELG sign+encrypt keys on the keyservers.
> > They won't work with PGP, signing is very slow and there are probably
> > some vulenrabilities.  The key size alone is not a measure of
> > security; for exampleyou have to take the size of the hash into
> > account which is still 160 bits even with a 4k key.
> I am the proud owner of one of those 28 keys. Although PRZ loathes
> ElGamal type 20 keys, I rather like them. However, there are some
> issues: because Discrete Logarithm algorithms create two elements to
> sign instead of one, and ElGamal is a Discrete Logarithm algo, type 20
> sigs will be huge. I got serious flak from other mailing lists about
> this. You can use other, larger hash algorithms such as the SHA2 suite
> -- if you think they're secure. Yes, type 20 keys won't work with any
> PGP except ckt build06+. Some people think that using one key for
> signing and encryption is a bad idea because if the Big Bad Government
> comes after you and confiscates your key, you'll have to give up your
> signing key instead of just your encryption key.

This last reason, for me, is particularly important.  Aside from the
Big Bad Government reason, there are several advantages from a key
management perspective to use a seperate signing key.  I keep my
encryption subkey on my laptop and leave the signing key offline.  If
my laptop gets stolen, I don't lose my whole key.

If you want a 4096-bit key that can sign, why not use a 4096-bit RSA
key?  It's certainly more widely supported (including PGP support)
than ElGamal signing keys.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson