There are a number of issues around Elgmal signatures, as opposed to (say)
DSA signatures. These are the ones I can remember off the top of my head:
Al discrete-log signature systems have as part of their real strength the
size of the hash function as well as the size of the key. Because of
birthday attacks, the strength of the hash is half its length (a.k.a. the
square root of the maximum hash number) -- so a 160 bit hash has a strength
of 80 bits. This is alleged to be roughly the same strength as a 1024 bit
key. The downside of this is that there is no reason to make a key longer
than 1024 bits with no longer hashes, and in fact it is arguably a security
weakness. The counter-argument to this is that without the longer keys,
there's no reason to have longer hashes. (For the last couple of months,
I've been waiting for someone to suggest a longer hash, like say
Haval-5-256, or to even agree with my hints that such a thing would be a
good idea.)
Elgamal signatures are large when compared to DSA sigs -- two full-key
MPIs, as opposed to two 160-bit MPIs. The counter-argument is, "so what?"
They're also slow -- they require three exponentiations, as opposed to only
one for DSA.
Elgamal signatures allow a key to be used for both encryption and
signatures. The counter argument is that many protocol designers think this
is a Bad Thing, that keys should be single-purpose. The counter-counter
argument is, "you design your protocols, I'll design mine." In other words,
if there is *some* protocol that has a good use for a sual-use key, then
the meta-protocol shouldn't forbid it.
Elgmal keys that are used for signing have to have more constraints placed
on them than encryption keys. The keys that PGP 5.x generates are not
suitable for signatures. Some facets of this are a serious consideration;
unlike some signature flaws that cause bad signatures, these cause loss of
your key. There's a good discussion of these security considerations in
Menezes, van Oorschot, and Vanstone, pp454-456. You can also find an
interesting paper on mere forgeries at
<ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/ElGamal.ps>
There are also some other fussy things you can do to forge signatures, like
make r and s roughly twice the size of the prime p. It all just means you
have to be extra careful with Elgamal sigs.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
CTO, Total Network Security 4200 Bohannon Drive
Network Associates, Inc. Menlo Park, CA 94025
(650) 473-2860
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)