Looking for Elgamal sign+encrypt key information

Kurt Fitzner kfitzner at excelcia.org
Mon Mar 15 22:51:54 CET 2004

>I wouldn't say that.  I think it's more accurate to say
>that RSA signatures obsoleted Elgamal signatures.  At the
>time that Elgamal signatures were added to the OpenPGP
>standard (and to GnuPG), RSA was patented and could not
>be freely used.  Now that the RSA patent has expired, there
>is very little point to Elgamal signatures.

I had forgotten the RSA patent issue.  Looking at the historical
perspective, I can better understand why ElGamal was included, even with
it being a crptographically inferior choice.  My main concern wasn't so
much to keep the ElGamal signatures in, per se.  As I mentioned in an
earlier post, I myself use RSA sign+encrypt keys.  My point, though, is
that I don't consider DSA to have sufficient key sizes.  Quite a few of
the negative arguments against ElGamal (larger signatures than DSA,
slower than DSA, etc) also work against RSA.  

>I think that while lots of choice is a laudable goal, it has
>to be balanced - especially in security related programs -
>with some conservatism as to algorithms.

I agree.  I suppose I started to see a trend that confused and troubled
me a little.  First, the ElGamal and RSA sign+encrypt key generation
options are hidden unless you issue the "--expert" switch.  Then, when
an implementation flaw is discovered in ElGamal key generation, the
whole algorithm is disabled.  It's a progression that, to me, seemed to
be leading to having DSA as the only signing alternative left.  I hope
(assume) that there are no plans to move away from RSA signing or RSA
sign+encrypt keys?

>Note that the upcoming revision to the OpenPGP standard does
>not include Elgamal signatures.

That's a very telling point that I wasn't aware of.

I still don't know the nuts and bolts of what makes ElGamal signatures
dangerous to implement.  I can't see how it would be any different than
RSA.  Hash the message, encrypt the hash with the sender's private key,
ASCII-fy the result.  How is ElGamal signing any more dangerous than
ElGamal encrypting?  Like Atom Smasher, I would love if someone could
offer (or point me to) a dumbed down version for the cryptographically
challenged.  Simply out of curiosity.

Thanks for all the replies I have been given.  I appreciate the time
people have taken.


	Kurt Fitzner

More information about the Gnupg-users mailing list