Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] 10 reasons not to start using PGP

Gregory Maxwell greg at
Thu Oct 10 18:21:59 PDT 2013

On Thu, Oct 10, 2013 at 5:14 PM, carlo von lynX
<lynX at> wrote:
> On 10/10/2013 11:08 PM, Gregory Maxwell wrote:
>> I'm surprised to see this list has missed the thing that bugs me most
>> about PGP: It conflates non-repudiation and authentication.
>> I send Bob an encrypted message that we should meet to discuss the
>> suppression of free speech in our country. Bob obviously wants to be
>> sure that the message is coming from me, but maybe Bob is a spy ...
>> and with PGP the only way the message can easily be authenticated as
>> being from me is if I cryptographically sign the message, creating
>> persistent evidence of my words not just to Bob but to Everyone!
> I kind-of lumped it mentally together with forward secrecy, because
> for both problems the answer is Diffie-Hellman. But you are right, it
> is the eleventh reason.

For a non-interactive system classical diffie-hellman only works for
the two party case. Three-party non-interactive key agreement requires
the gap-diffie-hellman problem (pairing cryptography), and then it's
probably easier to implement ring signatures at that point.

Forward secrecy can also be done (again in the context of pairing
cryptography) without interaction or diffie-hellman and constant size
(in the number of time windows) public keys.  The general idea is that
you use identity based encryption with the quantized good-until-date
as the "identity" and a public key the receiver has generated as the
master public key.  The reciever uses their master private key to
precompute all their future good-until-date keys and then destroys
their master private key so that they can no longer rederive expired
keys. As time passes they destroy their expired good-until-date keys.

(There are also schemes which lower the storage and key generation
requirements. For more information, see

Though there are simple libraries that implement the hard parts of the
required cryptographic for things like ring signatures or
ID-based-forward secrecy... I've never seen a production application
for people that use them.

Maybe there is an argument that PGP's pretty-goodness is just good
enough to inhibit the existence of better tools?

More information about the liberationtech mailing list