What is the practical strength of DSA1024/Elgamal2048 (former GnuPG default)?

Bernhard Reiter bernhard at intevation.de
Thu Apr 25 09:20:47 CEST 2019

until about 2009 GnuPG [1] had dsa1024/elg2048 as default key algorithms.
There are still keys around with those algorithmus.

Recommendations from the US and Europe [2] only list DSA between 1900
and 3000 bits as allowed for legacy use. So it is clear that DSA1024
should not be used anymore.

How urgent is it to convince people to create new keypairs?
To me this means rephrased:
   How strong or weak is this combination of keys for todays usage?
Wikipedia points out a strong  sensitivity of the algorithm to the quality of 
random number generators and that implementations could deliberately leak 
information in the signature [3]. This alone probably is a reason to switch 

Apart from the problems an attacker could be solving the discrete log problem.
A presentation from 2013 [4] assumes that advances are made towards solving
this in a practical time frame. Does somebody has good pointers on the state 
of the art for this?

Because dsa1024/elg2048 used to be a default of GnuPG, I think it would be 
helpful to point our users towards a well understood reasoning when and why 
they should move to a better key-pair.

What do you think?

Best Regards,

[1] https://lists.gnupg.org/pipermail/gnupg-devel/2009-May/025079.html


www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190425/57c05626/attachment.sig>

More information about the Gnupg-users mailing list