Problems with GPG El Gamal signing keys?

Anton Stiglic astiglic at okiok.com
Mon Dec 1 14:20:10 EST 2003


----- Original Message ----- 
From: "Ralf Senderek" <ralf at senderek.de>
To: "Werner Koch" <wk at gnupg.org>; "cryptography" <cryptography at metzdowd.com>
Sent: Thursday, November 27, 2003 11:23 AM
Subject: Re: Problems with GPG El Gamal signing keys?


> On Thu, 27 Nov 2003, Werner Koch wrote:
>
> > Yes, yes, I should have removed ElGamal signing key support back in
> > 1998 when there was no more need for it.  I recall that some folks
> > begged me not to do that and I took the wrong decision.
>
> I think no-one will blame you for this, you couldn't have known the
> effects. But what are we going to learn? Heading for far less complexity
> is the future!

Maybe we can learn that code re-use is tricky in cryptography:  indeed, if
the signing function and encryption function did not use the same gen_k
function, the author of the code would have done the optimization that
causes the vulnerability in the signing function because this has never been
recommended (while for encryption it is a well known recommendation).

Maybe we can learn that using the same key for two different things is
really really not a good idea!  If the vulnerability was restricted to
signatures
it would have been less severe, being able to decrypt all confidential
messages
that were created in the past is much more severe.  Allot of applications
use
one single key for both signing and encryption, while this doesn't seem to
be
immediately dangerous I don't think it's a good idea. For example when I
receive
an email from someone that is signed, Outlook will save the public signature
key
that comes with the message and use it to encrypt if I decide to send an
encrypted
message to that person.
I never understood why having separate keys for signing and encrypting was
so complicated to implement?    Also in the PoP protocol of X.509, a
signature
using the private key is used to prove possession of the private key
corresponding to a public encryption key.  While the different padding used
in signature and encryption schemes make it difficult to find an obvious
vulnerability with this, I don't think it's a good idea.

You have to be very careful when using the same key pair for encrypting and
signing.  The subtle error found in GnuPG about using small k is a good
example.  Another thing to consider is that ElGamal encryption with base
g = 2 is safe but insecure for signatures...  It's just simpler to have two
distinct pairs of keys.

By the way, is the paper by Phong Q. Nguyen describing the vulnerability
available somewhere?  Or maybe someone could describe the cryptanalysis
steps to retrieving the private key from the signature when using smaller
random k, I would appreciate.  ElGamal with smaller k looks allot like
DSA, exept in DSA you work with a generator of a smaller subgroup and
your k is chosen in this smaller subgroup...

Thanks.

--Anton



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list