Philip Zimmermann <prz(_at_)pgp(_dot_)com> writes:
is. That would also entail a work factor of about 2^80. This means that
unless we find a bigger hash, we gain little by making p or q bigger in
the DSS.
A new attack may decrease the work factor for DL schemes below 2^80
and in this case a larger DL may help. Same for new attacks on SHA1.
keys, it would be just as easy to expand the p and q parameters of DSS as
it would to expand the parameters of pure ElGamal.
Hmmm, there is still a patent on DSA and the government might want to
enforce the Kravitz patent if an implementation changes the parameters.
3) Adding more public key algorithms is good, because more features is
always better.
This is not for featureism, but to give the user a choice.
We probably will be able to justify adding elliptic curves at some point,
because they allow cheap 8-bit microcontrollers to compute and check
And run into a lot of patent conflicts.
But straight ElGamal signatures offers no new real capability. It brings
nothing new to the table. In fact, it actually has real disadvantages.
One advantage is that you can use one key for encryption and signing
(as pgp2 does it).
The first disadvantage of ElGamal compared with DSS is that ElGamal makes
much bigger signatures. Have you noticed that DSS signatures are so much
Really true.
go to pure ElGamal signatures. That will bloat the public key infrastructure,
as each key collects many signatures on it from other keys. It will
bloat everything that gets signed.
There are a lot of thinks which bloat the public keys too - here is a
new field of work.
weaknesses. But at least one implementation of OpenPGP's ElGamal signatures
has done it wrong. Others might also do it wrong. PGP users should not
Which one? (and which OpenPGP draft)
In short, ElGamal signatures are bigger, slower, and in many cases less
secure, than DSS. It is inferior in every way to DSS. It does not belong
in the OpenPGP standard. PGP stands for quality, and so should OpenPGP.
PGP5 is just an implementation of OpenPGP, the PR can convince the user
that this or this program is a better or worser implementation of OP.
The correct implementation of an algorithm is easy compared to the
design of other parts of such a system (e.g. the RNG).
If anyone breaks an ElGamal signature because it was improperly implemented,
the reputation of the whole OpenPGP standard will suffer. It will not matter
So does the reputation of MIME or rfc822 suffer just because M$ is not
able or willing to deliver a working system?
Werner