Looking for Elgamal sign+encrypt key information

Kurt Fitzner kfitzner at excelcia.org
Sun Mar 14 20:29:56 CET 2004 

Personally, I use RSA v4 sign+encrypt keys for my own use.  I am not at
all fond of DSA, primarily because of its small key size.  Many
cryptographers are recommending 1024 bit key sizes as a minimum these
days.  And for me, identity verification and signatures are far more
important than encryption.  I just don't subscribe to the "change your
signature every year or so" school of thought that uses the argument
that even if signature key is compromized , that key can still be
trusted to accurately represent historically signed documents.  I would
guess the "200 (Elgamal sign+encrytp) keys per year" that are added to
key servers are added by people who have a similar reservations to DSA
that I do. 

I'm not at all familiar with the issues you mention in passing that make
the Elgamal signature scheme dangerous.  The abstract you reference
mentions in detail the implementation flaw, but does not explain what
makes the signature scheme dangerous in general.  If you could kindly
point me to information of this sort, I would be most appreciative.

While I honestly don't wish to appear confrontational, it still seems to
me that the removal is a little knee-jerk.  I can understand the
position you were in.  Mr. Nguyen, in my opinion, should simply have
sent you an email, rather than making a paper with "Flaws of GnuPG" in
big bold letters on the top.  In light of the "press" this issue
received, I can understand wanting to take very decisive action.  But I
have to ask, if a similar implementation flaw in RSA key generation were
found, would RSA sign+encrypt support be removed from GnuPG as well?
The statement that Elgamal is obsolete leaves the impression that the
thought is that it is DSA which is making it obsolete, and this
distinctly troubles me.

As a user, I would urge that GnuPG's goal be to provide functionality
for as much of OpenPGP as possible.  GNU software in general has always,
to me, represented choice.  I liked the fact that, while Elgamal keys
were not encouraged, that the functionality was included.  Include the
ability, and let the user make the choice.

In any case, any more information on what makes Elgamal signature
implementation dangerous in general would still be much appreciated.

Thank-you kindly for your time and reply.

	Kurt Fitzner


-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: March 14, 2004 11:19 AM
To: Kurt Fitzner
Cc: gnupg-users at gnupg.org
Subject: Re: Looking for Elgamal sign+encrypt key information


On Sun, 14 Mar 2004 09:23:40 -0700, Kurt Fitzner said:

> the original announcement, which says it was disabled because of an 
> implementation flaw.  However, one small item in this mailing list's 
> archives suggests that the implementation flaw was actually corrected 
> in 1.2.4.

The ElGamal signature scheme is very very hard to get right and we have
seen many attacks on it over the last years.  I orginally implemented it
in GnuPG because at that time the patent status of DSA was not clear.

Although the current problem was "only" an implementation bug, it proved
again how hard it is to get this signature scheme right. Instead of
fixing it we removed the ability to create Elgamal signature in 1.2.x
and entirely dropped support in 1.3.x.

For background info see http://www.di.ens.fr/~pnguyen/pub.html#Ng04

> When I am using Windows platforms, I tend to use PGP 6.5.8ckt, which 
> does support the use of Elgamal sign+encrypt keys.  So if there are

It has been said a thousand times in the last years: DO NOT USE ELAGAMAL
SIGNATURES - they are dangerous, slow and obsolete. There is a far
better alternative: DSA - as Phil Zimmermann puts it: "DSA is Elgamal
debugged".

  Werner

More information about the Gnupg-users mailing list