[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Elgamal signatures

To: Jon Callas <jon@xxxxxxx>
Subject: Re: Elgamal signatures
From: dontspam-tzeruch@xxxxxxxxxx
Date: Tue, 14 Apr 1998 18:40:56 -0400
Cc: ietf-open-pgp@xxxxxxx
In-reply-to: <>
Sender: owner-ietf-open-pgp@xxxxxxx

On Tue, 14 Apr 1998, Jon Callas wrote:

> I've been writing up a section on the care needed to select Elgamal keys so
> that the resulting signatures are strong. In going through all of this, I
> can't help but wonder if it's worth it.

You could also simply point to the external info, or just add info on how
to detect weak signatures.

> Should we forego Elgamal signatures in the spec and make Elgamal only an
> encryption algorithm?

I would rather leave a reserved number, etc. for it.  DSA limits the
signature size to 160 bits, so even if I create a 4096 bit p, it isn't any
more secure than a 2048 bit p.

Also, since one of the problem is the generators, if anyone wants to add
ElGamal signatures later, it would help if people started using a
generator other than 2 when creating the parameters even if they don't
support ElGamal in the current version.

There is one further complication.  Right now I would leave them in as a
MAY so that all my ring handling code is required for *authentication* and
therefore *possibly* exportable (I actually have a slim version of my
library without any encryption, but it still does clearsigning and
verification using the 3 signature algorithms v.s. the 5 hashes). 

I assume you are going to leave ROT-N and SAFER/SK128 in?  The former is
specifically designed to be weak.

--- reply to tzeruch - at - ceddec - dot - com ---

Follow-Ups:
- Re: Elgamal signatures
  - From: Jon Callas

References:
- Elgamal signatures
  - From: Jon Callas

Prev by Date: Re: Elgamal signatures
Next by Date: Re: Elgamal signatures
Previous by thread: Re: Elgamal signatures
Next by thread: Re: Elgamal signatures
Index(es):
- Date
- Thread