Question about Algorithm Validations

Tom Schaible tschaible at
Mon Sep 21 22:36:30 CEST 2009

Hello all,

I've been trying to find some information on GPG and how it's
algorithms are validated.   Unfortunately, I've been coming up empty
on the web site and in archive searches.  Hopefully, some of you can
answer my questions and confirm some of assumptions.

1. I'm working under the assumption that libgcrypt is a library that
encapsulates the cryptographic algorithms and that libgcrypt is used
only by gpg 2.x or greater.  gpg 1.4.x does not use libgcrypt and
updates to libgcrypt are not necessarily being patched back into the
gpg 1.4 codebase.  Is this correct?

2. I've read some forum posts that state that libgcrypt is tested
against the NIST CAVS test suite and that 1.4.4 has passed and all
tests and is validated by NIST?  Is this correct?  If so, does anyone
know which algorithms/validation #'s libgcrypt was validated under?  I
can't seem to find them in the NIST database.

3. Assuming gpg 1.4.x doesn't use libgcrypt directly, what are the
procedures for validating its algorithms (NIST or otherwise)?

Your help is greatly appreciated.


More information about the Gnupg-users mailing list