What is better for GPG keys - RSA or DSA?

ssh-keygen defaults to creating RSA keys, but gpg --gen-key prefers DSA/ElGamal.

Which one - RSA or DSA - is better for GPG?


Solution 1:

The GPG maintainers are thinking of changing the default to RSA (source: Dealing with weakness in SHA-1 [LWN.net]). So, it seems they think RSA is currently the better option (and they should know more about it than you or me).

Solution 2:

RSA and DSA - misconceptions and useful information
has a couple of older RSA references and the recent DSA reference,

  • The Debian PGP disaster that almost was -- on the vulnerable debian openssl version

In 2003, RSA vs DSA Signatures - The Winner is... -- RSA.

So basically key generation is incredibly faster for DSA, which makes sense if you understand the algorithms. Signing is also faster for DSA, but not by as large a factor. RSA’s great strength is verifying which is much faster than DSA.

Recent IETF Draft: DSA with SHA-2 for DNSSEC, Expiring Jan 7, 2010.
It has some reasons for promoting DSA over RSA today.

Using DSA with SHA-256 in DNSSEC has some advantages and disadvantages relative to using RSA with SHA-256 when using 2048-bit keys. DSA signatures are much shorter than RSA signatures; at this size, the difference is 512 bits verus 2048 bits. On typical platforms using 2048-bit keys, signing DSA is about three times faster than for RSA, but verifying RSA signatures is more than ten times faster than for DSA.

The cryptographic strength of DSA is generally considered to be equivalent to RSA when the DSA public key and the RSA public keys are the same size. Such an assessment could, of course, change in the future if new attacks that work better with one or the other algorithms are found.

There are currently no known attacks on the specific set of DSA parameters chosen for this document. Such an assessment could, of course, change in the future.

But, this is only a draft at the moment.

Everyone loves the verification speed of RSA(!).

Solution 3:

RSA. There were some weaknesses discovered in SHA-1, which is the hash used by DSA. Debian are migrating all their keys from DSA to RSA.

Solution 4:

Quoting a forum discussion:

My advice would be to use an RSA signing key (the "primary" or "master" key) and an RSA subkey for encryption. The reason for using RSA for signing is mainly because RSA lets you use larger hashes than DSA does. DSA2 also lets you use larger hashes, but RSA has been supported for many years longer than DSA2 has.

I think that if you're using it in a standard way (i.e. you don't encrypt a huge amount of data) they'll both do well.

I would personally choose RSA because I've learned the algorithm, and it's one of the most beautiful algorithms I've ever seen.

Solution 5:

Also the use of SHA-2 algorithms is possible and allowed since current revision of DSS; but I was unable to find out which revision GPG follows.

Concerning to the current DSS specification (FIPS-186-3, p. i) any hash function specified in the SHS (FIPS-180-3, p. iv) may be used:

DSS:

FIPS approved digital signature algorithms shall be used with an appropriate hash function that is specified in the SHS.

SHS:

This Standard specifies five secure hash algorithms - SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 - for computing a condensed representation of electronic data (message).


To the question: Both algorithms are based on mathematical problems which are not proven to be secure (RSA uses the problem of factorizing numbers and DSA uses the discrete logarithm problem), you cannot say one is more secure than the other, because not the one problem nor the other has ever been solved.

But by using DSA with SHA-1 you may have a security problem, as already said by pgs.