Jon Callas <joncallas=40icloud(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org>
writes:
A longer answer is that OpenPGP is pretty much the first substantial
protocol to use Elgamal keys. Back in the late ‘90s, when patents were
an issue, the then "PGP 3” system which became “PGP 5” and then that
became standardized as OpenPGP, wanted an alternative to RSA. The RSA
patent expired in the year 2000, but the discrete log patents expired
in ’97. Thus, there was a real reason for wanting a discrete log
option. They picked Elgamal because you can use it more or less as if
it were RSA. As time went on, Elgamal signatures fell by the wayside
over DSA, leaving Elgamal for encryption.
Derek Atkins might remember more, because a lot of those original
decisions were made by some combination of him, Colin Plumb, and Hal
Finney.
As I recall, we added DSA and ElGamal to attempt to work around the RSA
patents. For a while, IIRC, PGP3/5 did not even support RSA at all,
making it harder to interact with PGP2 -- at least for a short while.
This was all back in 1996-1997 when this work was done.
Jon
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp