nospam-seesignature@ceddec.com
Mon, 6 Apr 1998 18:29:53 -0400
On Mon, 6 Apr 1998, Hal Finney wrote:
> Frankly, I don't know why people want to do ElGamal signatures at all.
> DSS signatures are considerably faster and smaller, and ElGamal
> signatures have a known weakness which requires keys to be carefully
> chosen; see http://www.bell-labs.com/user/bleichen/bib.html, look at
> his paper from Eurocrypt 96 on generating ElGamal signatures without
> knowing the secret key.
1. I can do everything with a single primary key. There is a utility to
having things be symmetric.
2. I can use a larger size if I am paranoid. DSS is limited to 160 bits
(and without the OID). Although the algorithm is itself adaptable to
allowing the signed material to be larger, no one has suggested a standard
for a "big" DSS. I forgot the post, but someone noted that there is no
point in a 4096 bit DSS key since the 160 bit parameter is the limiting
factor on security.
3. Actually I don't care, but since I had the PGP source first (and had to
turn other things on, e.g. DSA/RIPEMD160), I just went through and
implemented everything PGP 5.0 could possibly do. In fact, my code has a
disable-elGamal define just like PGP. Only recently have I been moving
toward the OpenPGP spec, and I am loathe to completely delete things.
--- reply to tzeruch - at - ceddec - dot - com ---
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:53 ADT