Re: Elgamal signatures


Jon Callas <jon(_at_)pgp(_dot_)com> writes:

I've been writing up a section on the care needed to select Elgamal keys so
that the resulting signatures are strong. In going through all of this, I
can't help but wonder if it's worth it.

Should we forego Elgamal signatures in the spec and make Elgamal only an
encryption algorithm?


One advantage of Elgamal signatures is that they are defined for hash
algorithms producing more than 160 bits of output.

So this might be nice for RIPE-MD with larger output to provide a more
secure option than 160 bits.  When you take into account birthday
attacks, at 80 bits DSA doesn't look that strong, if we are talking
about building in future proofing.

For this reason I'd like to see Elgamal sigantures remain as a MAY.

(And I'd also like by implication to see a larger output hash function
in).

Adam

<Prev in Thread]	Current Thread	[Next in Thread>
Elgamal signatures, Jon Callas Re: Elgamal signatures, William H. Geiger III Re: Elgamal signatures, dontspam-tzeruch Re: Elgamal signatures, Jon Callas Re: Elgamal signatures, Adam Back <= Re: Elgamal signatures, Jim Gillogly Re: Elgamal signatures, Jon Callas Re: Elgamal signatures, Bill Stewart

Previous by Date:	Re: Elgamal signatures, dontspam-tzeruch
Next by Date:	Re: Elgamal signatures, Jon Callas
Previous by Thread:	Re: Elgamal signatures, Jon Callas
Next by Thread:	Re: Elgamal signatures, Jim Gillogly
Indexes:	[Date] [Thread] [Top] [All Lists]