ietf-openpgp
[Top] [All Lists]

Re: The case against ElGamal signatures in PGP

1998-06-04 12:08:16
One of the points offered in support of ElGamal signatures is that this will
allow ElGamal keys to be used for both encryption and signatures.

Actually, this is not a good idea.  It is a useful principle of
cryptographic protocol design that the same key should not be used for
more than one protocol.  That is why even with RSA keys you are seeing
more and more implementations using separate keys for encryption and
signatures.

There are a couple of reasons for this precaution.  One is simply to
partition the usage of keys so that if a key is stolen or broken then
less functionality is compromised.  But the more significant point is
that it may be that using a key in more than one protocol causes specific
cryptographic weaknesses.

As a trivial example, some digital cash protocols use RSA based "blind
signatures" where the data being signed is mathematically hidden from
the signer.  Obviously if that same key were used to sign messages,
someone could get a blind signature on the hash of a message and easily
forge signatures.

Another case might be an upcoming paper from Bleichenbacher to be
presented at Crypto 98, where he shows chosen-plaintext attacks against
RSA keys which use PKCS padding.  The attacker sends chosen RSA-encrypted
messages, and if information leaks back to him about which ones happened
to decrypt to syntactically legal PKCS-padded data, then he can eventually
construct an exponentiation on a chosen value using the private exponent.
If the RSA key is used only for decryption, he can decrypt a message.
But if it is also used for signatures, he can get an RSA signature on
a chosen message.  Breaking one protocol leaks into breaks of other
protocols.

Bruce Schneier and his group have come up with the idea of a "chosen
protocol attack" where two protocols, each individually secure, will
compromise a key when it is used for both protocols.  See
http://www.counterpane.com/chosen_protocol.html for more information.

Even if we support ElGamal signatures, we should move away from dual
use keys.  Encryption and signatures are very different kinds of
functionality, and we should not use the same keys for both if we can
avoid it.

Hal