Looking for Elgamal sign+encrypt key information
kfitzner at excelcia.org
Mon Mar 15 22:51:54 CET 2004
>I wouldn't say that. I think it's more accurate to say
>that RSA signatures obsoleted Elgamal signatures. At the
>time that Elgamal signatures were added to the OpenPGP
>standard (and to GnuPG), RSA was patented and could not
>be freely used. Now that the RSA patent has expired, there
>is very little point to Elgamal signatures.
I had forgotten the RSA patent issue. Looking at the historical
perspective, I can better understand why ElGamal was included, even with
it being a crptographically inferior choice. My main concern wasn't so
much to keep the ElGamal signatures in, per se. As I mentioned in an
earlier post, I myself use RSA sign+encrypt keys. My point, though, is
that I don't consider DSA to have sufficient key sizes. Quite a few of
the negative arguments against ElGamal (larger signatures than DSA,
slower than DSA, etc) also work against RSA.
>I think that while lots of choice is a laudable goal, it has
>to be balanced - especially in security related programs -
>with some conservatism as to algorithms.
I agree. I suppose I started to see a trend that confused and troubled
me a little. First, the ElGamal and RSA sign+encrypt key generation
options are hidden unless you issue the "--expert" switch. Then, when
an implementation flaw is discovered in ElGamal key generation, the
whole algorithm is disabled. It's a progression that, to me, seemed to
be leading to having DSA as the only signing alternative left. I hope
(assume) that there are no plans to move away from RSA signing or RSA
>Note that the upcoming revision to the OpenPGP standard does
>not include Elgamal signatures.
That's a very telling point that I wasn't aware of.
I still don't know the nuts and bolts of what makes ElGamal signatures
dangerous to implement. I can't see how it would be any different than
RSA. Hash the message, encrypt the hash with the sender's private key,
ASCII-fy the result. How is ElGamal signing any more dangerous than
ElGamal encrypting? Like Atom Smasher, I would love if someone could
offer (or point me to) a dumbed down version for the cryptographically
challenged. Simply out of curiosity.
Thanks for all the replies I have been given. I appreciate the time
people have taken.
More information about the Gnupg-users