Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [elgamal-signature]

A digital signature scheme based on the discrete logarithm problem, published by Taher ElGamal in 1984. Not to be confused with the ElGamal encryption system.

The ElGamal signature scheme is a digital signature scheme published by Taher ElGamal in 1984. Like the ElGamal encryption system, which was described in the same paper,[1] its security is based on the assumed difficulty of the discrete logarithm problem.

A variant of the ElGamal signature scheme was standardized as the Digital Signature Algorithm (DSA).

See also:

References:

  1. T. ElGamal (1985). "A public key cryptosystem and a signature scheme based on discrete logarithms". IEEE Trans inf Theo 31 (4): 469–472. Appeared earlier in the proceedings to Crypto '84.
91 questions
14
votes
1 answer

DSA vs. ElGamal vs. Schnorr

It has been well known for a long time that NSA played a primary role in the development of the Digital Signature Algorithm (DSA). DSA is a sort of hybrid of the ElGamal and Schnorr signature schemes. My question is this. Based on what we know now,…
Nemo
  • 1,377
  • 1
  • 14
  • 18
11
votes
1 answer

ElGamal Signature Scheme: Recovering the key when reusing randomness

Show how if Alice uses the same value of $k$ to sign two different messages $m_1$ and $m_2$, using the ElGamal signature scheme, Eve can recover the value of $a$ from the corresponding signatures $(m_1, r_1, s_1)$ and $(m_2, r_2, s_2)$. (Note: you…
Bobby S
  • 1,973
  • 4
  • 23
  • 30
9
votes
2 answers

What is largest prime factor in Diffie-Hellman?

I was reading the paper of A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms by TAHER ELGAMAL to better understand ElGamal public-key scheme, and he stated that for any cryptosystem based on discrete logarithm problem,…
vxek
  • 551
  • 3
  • 10
8
votes
1 answer

How can one show that an ElGamal-like signature verification scheme is valid?

For an ElGamal-like signature scheme, I am given two things: The signing function, the verification function. How can I show that the verification function is valid? Example 1: Signing: $s := x^{-1}(m - k·r) \pmod {p - 1}$ Verification: $g^m =…
Bobby S
  • 1,973
  • 4
  • 23
  • 30
6
votes
2 answers

ElGamal signature without calculating the inverse

I stumbled upon this question in some textbook. Propose a variant of ElGamal signature scheme such that there is no need to calculate the inverse $k^{-1}$ as it is usually done using the EEA. Recalling what ElGamal signature is about: we fix a…
Azooo
  • 225
  • 1
  • 5
6
votes
1 answer

RSA Digital Signature vs Elgamal Digital Signature

What are the advantages of RSA signatures against ElGamal signatures? Is there a situation in which it would be better e.g. to use RSA signatures?
userkir
  • 403
  • 5
  • 12
5
votes
1 answer

Security analysis for a extended ElGamal Signature against selective unforgeability

Let $H$ is a cryptography hash function and $\Pi=(\mathsf{G}, \mathsf{S}, \mathsf{V})$ is a digital signature, as follows: $(h_1=g^x,h_2=g^y) \leftarrow \mathsf{G}(1^n)$, where $x,y$ uniformly random from $\mathbb{Z}^*_q \ .$ $(r=g^k,s=(H(m)-x…
rafael
  • 71
  • 5
5
votes
1 answer

Signature Scheme with proof of data possession

Most signature schemes first hash the data and than sign the hash. Correct me if I am wrong: The signature does not prove that the signatory was in possession of the document itself? In cases where the document hash but not the document itself is…
Titusz
  • 153
  • 5
5
votes
1 answer

Can ElGamal encryption and ElGamal signatures be used together sharing the same key-pairs?

I'm working on a encryption system where each party can store exactly a single ElGamal private key in a device. This is a hardware limit. The system must be expanded to support signatures and encryption. Can each party use the same key-pair for both…
SDL
  • 1,927
  • 13
  • 25
5
votes
1 answer

Why is the El Gamal commitment scheme information theoretically binding?

I am a bit stuck on the following claim: The ElGamal commitment scheme is information theoretically binding As far as I understand, an adversary $A$ would win the binding game if it is able to find an $x\prime\neq x$ such that…
rzdzc2WUQKJeB6GS
  • 267
  • 1
  • 2
  • 8
5
votes
1 answer

Safe generator for ElGamal signature

What are the properties a generator $g$ should have to be secure for ElGamal signatures (original scheme)? I am aware that it is poorly chosen and not secure when $g|p-1$ or $g^{-1}|p-1$, where $p$ is the large prime so that $g$ generates $Z_p^*$…
SquareRootOfTwentyThree
  • 1,755
  • 12
  • 17
5
votes
2 answers

Elgamal test vectors

I know that Elgamal algorithms have fallen out of fashion, and they are not included in any widespread cryptographic standard nowadays. However, they are still present in several popular crypto libraries (bouncy castle, botan, cryptopp, etc). One…
SquareRootOfTwentyThree
  • 1,755
  • 12
  • 17
5
votes
1 answer

Why is ElGamal considered non-deterministic?

One difference between RSA and ElGamal is that ElGamal isn't necessarily deterministic (while RSA is). What makes it non-deterministic? Is this advantageous to security? How else does this property affect ElGamal encryption or the ElGamal signature…
Bobby S
  • 1,973
  • 4
  • 23
  • 30
5
votes
1 answer

Is it insecure to sign the value 0 with ElGamal?

Is it insecure to sign the plaintext 0 with ElGamal signature algorithm? Can this leak the private key, give the possibility to forge other signatures or does provide any other attack vector?
PCFX
  • 63
  • 4
4
votes
2 answers

Why do we need to hash both the message and the $h$ value in ElGamal signature?

The professor left us a question on ElGamal signatures: Given the hash function $H$ and message $M$, choose a random $r$ and compute $h=g^r$ and $H(M||h)$. Show that, if $H(M)$ is used instead of $H(M||h)$, the signature can be existentially…
Oliver Hu
  • 41
  • 2
1
2 3 4 5 6 7