5

I'm working on a encryption system where each party can store exactly a single ElGamal private key in a device. This is a hardware limit. The system must be expanded to support signatures and encryption.

Can each party use the same key-pair for both schemes?

I know that encryption/signature key lifetimes and security key-lengths may be different, but this would not pose any serious risk to our system.

So the question can be restated as: Are there passive or active attacks (e.g. algebraic, chosen-plaintext/ciphertext) that are specifically targeted at users sharing ElGamal Encryption/Signature key-pairs?

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
SDL
  • 1,927
  • 13
  • 25

1 Answers1

2

It depends.

It depends on a lot of things. For example a generator of 2 is great for encryption, but makes for awful signatures. If you use a generator of 2, then no. Your signatures will get broken. Then the encryption will.

Elgamal signatures are pretty controversial. They're tetchy to get right (see above) and there are many things you can get wrong. Also, they're large, when compared to DSA. DSA is a modification of Elgamal signatures and designed so that the size of the signature is proportional to the size of the hash, not the size of the key. They're thus smaller.

They were added into OpenPGP for RFC 2440, and implemented in GnuPG but not in PGP, because of security/implementation concerns that PGP developers had. A serious bug was found in the GnuPG implementation and then were removed from GnuPG, and then from RFC 4880 as no one was implementing them.

Ask yourself why you're doing them rather than DSA, research the problems people had in the past, and make sure you've done it right.

Jon

Jon Callas
  • 2,371
  • 15
  • 15