Problems with GPG El Gamal signing keys?

Werner Koch wk at
Thu Jan 8 08:54:08 EST 2004

On Mon, 1 Dec 2003 11:20:10 -0800, Anton Stiglic said:

> From: "Ralf Senderek" <ralf at>

> Maybe we can learn that code re-use is tricky in cryptography:  indeed, if
> the signing function and encryption function did not use the same gen_k
> function, the author of the code would have done the optimization that

But duplicates the lines of code and thus introduces another source of
errors.  Its aghrd to tell what ebtter.  Given that the algorithms for
signing and encryption are really different (compared to RSA) it might
have been better to use separate source files for ElGamal-signing and
ElGamal-encryption and don't view them as similar.

> g = 2 is safe but insecure for signatures...  It's just simpler to have two
> distinct pairs of keys.

Sure, that's what OpenPGP strongly suggests.  However ElGamal signing
stems from a time before OpenPGP when I tried to replace RSA by
ElGamal and keeping most of the PGP2 format (rfc1991) in place.

> By the way, is the paper by Phong Q. Nguyen describing the vulnerability
> available somewhere?  Or maybe someone could describe the cryptanalysis

I don't know, please ask him.  Phong dot Nguyen at


Werner Koch                                      <wk at>
The GnuPG Experts                      
Free Software Foundation Europe        

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list