Is it insecure to sign the plaintext 0 with ElGamal signature algorithm? Can this leak the private key, give the possibility to forge other signatures or does provide any other attack vector?
Asked
Active
Viewed 1,060 times
1 Answers
11
Is it insecure to sign the plaintext 0 with ElGamal signature algorithm?
It is insecure to verify the plaintext that hashes to 0 with the ElGamal signature algorithm, because anyone can generate such a signature with only the public key.
The validation requirement is:
$$g^{H(m)} = pk^r r^s$$
(where $g$ is the curve generator, $H(m)$ is the hash of the message, $pk$ is the public key, and $r, s$ are values provided in the signature).
If $H(m) = 0$, then this reduces to $1 = pk^r r^s$. If we generate a signature with $r = pk$, and $s = (p-1)-pk$ (where $p$ is the prime modulus), then it is easy to see that the relation is satisfied, and that we have successfully generated a signature with only the public key.
poncho
- 154,064
- 12
- 239
- 382