Looking for Elgamal sign+encrypt key information

Kurt Fitzner kfitzner at excelcia.org
Mon Mar 15 02:47:45 CET 2004


> There's a lot more to the security of a cryptosystem than simple
bitsize.

Yes, there is a lot more to security than the bit size. I understand
that DH/Elgamal keys offer very slightly more security per bit than RSA.
My understanding is, though, that it is slight enough that for all
intents and purposes they are generally considered equivalently strong.
I hope this isn't taken as argumentative, but it seems that this
statement (quoted above) is rather avoiding the issue.  If I am
mistaken, and the security per bit in DSA signing keys is extrordinarily
higher than I am giving it credit for then please, by all means, correct
me.  For the moment, though, I have grave concerns over a signature
mechanism who's current best strength is at the bare minimum that
cryptographer's are suggesting.  According to some cryptographers[1],
1024 bits isn't even a good minimum today.  One point that
cryptographers make over and over is that no one should wait until a
keysize is provably too weak.

As I stated earlier, I don't want to replace my signature key every few
years.  I don't want people to be making the determination on whether my
signing key is mine or not based on whether it was signed by a
previously trusted, but now expired old key.  

> Crypto software should not be about "choice". It should be about
> security. Most users aren't qualified to assess the relative merits
> of public key cryptosystems. When one such cryptosystem is known to
> have serious weaknesses, it is the implementor's duty to remove it,
> rather than to assume that the average user has the knowledge to
> understand the implications of using that cryptosystem.

Of course cryptography software is about choice.  It's about people
taking an active role to determine what is good for them.  The advice
given in many tutorials, faqs, and papers[2] suggests that people keep
track of the current state of the art in cryptography and make their
symmetric, hash, and public key algorithm choices accordingly.

Crypto software must be secure, and it must also have the perception
that it is secure.  Both of these ends can be served by incorporating
choice into the software.  If the whole purpose of GnuPG is to have a
few experts determine what's best for all us civilians, then why is
there more than one of any type of algorhithm implemented in it at all?
Why are so many algorhythms included in the OpenPGP standard?  I suggest
that it is for the very reason so that people can make choices about
what to use - so that they can choose what best serves their purposes.
Thus, with respect, I must say that I believe the statement "Crypto
software should not be about 'choice'" to be seriously flawed.

I think that choice - informed choice - is vital.  And so is having
aught to choose from.

Regard,

	Kurt Fitzner


[1] Selecting Cryptographic Key Sizes (2001), Dr. Arjen K. Lenstra, Dr.
Eric R. Verheul
Journal of Cryptology: the journal of the International Association for
Cryptologic Research.

It is interesting to note that their extrapolation to 2004 of 1108 bits
as a minimum kery-size didn't change between 1999, the year the paper
was first released, and 2001, the year of the paper's last (to my
knowledge) update

[2] See http://senderek.de/security/secret-key.protection.html, and
http://www.samsimpson.com/cryptography/pgp/pgpfaq.html - both well known
FAQs for the beginner learning about PGP/GPG and cryptography.






More information about the Gnupg-users mailing list