On Tue, 14 Apr 1998, Jon Callas wrote:
I've been writing up a section on the care needed to select Elgamal keys so
that the resulting signatures are strong. In going through all of this, I
can't help but wonder if it's worth it.
You could also simply point to the external info, or just add info on how
to detect weak signatures.
Should we forego Elgamal signatures in the spec and make Elgamal only an
encryption algorithm?
I would rather leave a reserved number, etc. for it. DSA limits the
signature size to 160 bits, so even if I create a 4096 bit p, it isn't any
more secure than a 2048 bit p.
Also, since one of the problem is the generators, if anyone wants to add
ElGamal signatures later, it would help if people started using a
generator other than 2 when creating the parameters even if they don't
support ElGamal in the current version.
There is one further complication. Right now I would leave them in as a
MAY so that all my ring handling code is required for *authentication* and
therefore *possibly* exportable (I actually have a slim version of my
library without any encryption, but it still does clearsigning and
verification using the 3 signature algorithms v.s. the 5 hashes).
I assume you are going to leave ROT-N and SAFER/SK128 in? The former is
specifically designed to be weak.
--- reply to tzeruch - at - ceddec - dot - com ---