Encryption keys: RSA vs. ElGamal

Robert J. Hansen rjh at sixdemonbag.org
Mon Nov 26 19:50:56 CET 2007

John W. Moore III wrote:
> That said; I personally [subjectively] feel that Elgamal is bit-for-bit
> more secure.

This is common wisdom; unfortunately, I'm not sure that the common
wisdom is correct.

>From a pure math perspective, it's probably true that the discrete
logarithm problem is harder than the integer factorization problem.
(Probably.  There are a lot of hidden assumptions and suppositions that
go into it.  While I don't find the assumptions and suppositions to be
unreasonable, it does give me the heebie-jeebies when people talk about
one being 'more secure' than the other without ever mentioning the

However, both are so phenomenally hard that any attack against the
system will probably target key management, sloppy communication
protocols, traffic analysis, etc.--and for these sort of attacks,
Elgamal is no better than RSA.

More information about the Gnupg-users mailing list