Re: ElGamal signature encoding

Werner Koch (wk@isil.d.shuttle.de)
Sun, 5 Apr 1998 12:41:01 +0200

• Next message: Robin Lee Powell: "DC Nets"
• Previous message: Lewis McCarthy: "Re: ElGamal signature encoding"
• In reply to: Werner Koch: "ElGamal signature encoding"
• Next in thread: Martin Grap: "Re: ElGamal signature encoding"
• Reply: Martin Grap: "Re: ElGamal signature encoding"

Lewis McCarthy <lmccarth@cs.umass.edu> writes:

> I'm guessing that PGP uses some variant of PKCS #1 for the format of
> data signed with ElGamal. (The OpenPGP draft I found only talks about

No. PGP 5 does not use ElGamal for signatures, but DSA and the hash is
simply used without any padding as input for DSA.

> RSA and DSA signatures, and I didn't find any kind of PGP 5-related
> technical spec at www.nai.com)

That is true and DSA is not explicitly described in OpenPGP.

> PKCS #1, uses FF padding to preclude a chosen ciphertext attack due to
> Desmedt and Odlyzko (see the Notes in PKCS #1). The attack derives

I do not have Crypto '85 here (and probably it is not available at a
public library here :-(). I guess ElGamal is vulnerable to this attack
and DSA is not.

-- 
Werner                      (finger gcrypt@ftp.guug.de for info about GnuPG)

• Next message: Robin Lee Powell: "DC Nets"
• Previous message: Lewis McCarthy: "Re: ElGamal signature encoding"
• In reply to: Werner Koch: "ElGamal signature encoding"
• Next in thread: Martin Grap: "Re: ElGamal signature encoding"
• Reply: Martin Grap: "Re: ElGamal signature encoding"