Hal Finney (hal@rain.org)
Mon, 6 Apr 1998 12:02:08 -0700
PGP 5.X has some commented-out code for ElGamal signatures. It should
not be used, because doing ElGamal signatures requires some care in the
choice of keys. PGP does not currently generate ElGamal keys which are
suitable for ElGamal signatures. They are fine for ElGamal encryption,
which is what they are used for.
The commented-out ElGamal signature code does use PKCS1 padding when
it converts the hash into a numeric value. This is largely done for
consistency with the RSA signature code. One effect of this is to put
the OID for the hash algorithm into the exponent along with the hash,
thereby signing the hash algorithm, which is beneficial. This also pads
the value to be the size of the prime modulus. I don't know whether there
is much value in doing this.
It's not all that costly to do this padding. Verifying an ElGamal
signature requires three exponentiations, at least two of which will use
full sized exponents. At best you could use a smaller exponent for one
of the three encryptions, so the savings is not that great.
Frankly, I don't know why people want to do ElGamal signatures at all.
DSS signatures are considerably faster and smaller, and ElGamal
signatures have a known weakness which requires keys to be carefully
chosen; see http://www.bell-labs.com/user/bleichen/bib.html, look at
his paper from Eurocrypt 96 on generating ElGamal signatures without
knowing the secret key.
At the IETF meeting last week, there was a rumor going around of a
patent which would cover ElGamal signatures (but supposedly not DSS).
No details were available, however, and I haven't heard anything more
about it.
Hal
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:52 ADT