3

In the original paper, ElGamal(1985) starts his discussion of signatures by saying:

"The signature ..... is chosen such that the equation:

$\alpha^m = y^r r^s \text{mod p}$ (equation 3 from the paper)

is satisfied."

(In this paper: $m$ is the message, $s$ is the signature, $y=\alpha^x$ mod $p$ is the public key, $x$ is the private key, $k$ is the ephermal (secret) key and $r=\alpha^k$ mod $p$)

Everything else follows from this. Why this particular form? What the rational if any? This just seems to come out of no where. Why not, for example:

$\alpha^s = y^r r^m \text{mod p} $

with $s = rx+km$? (There is probably an obvious reason that I am missing, please do point it out!)

DrEntropy
  • 163
  • 4
  • 1
    Well I can't explain the rationale behind this particular equation (yet). But there are 6 possible signing / verification equations for ElGamal according to the Handbook of Applied Cryptography. These are (verification only): $\alpha^{h(m)}=y^rr^s$, $\alpha^{h(m)}=y^sr^r$, $\alpha^s=y^rr^{h(m)}$, $\alpha^s=y^{h(m)}r^r$, $\alpha^r=y^sr^{h(m)}$, $\alpha^r=y^{h(m)}r^s$. (all mod p, h(m)=m is allowed). – SEJPM Apr 29 '15 at 19:47
  • 1
    Probably the first working formula ElGamal found. There are other formulas which work as well (e.g Schnorr and DSA). – CodesInChaos Apr 29 '15 at 21:31
  • Thanks for the reference to the Handbook! I wrote down those same six variants and tried to figure out what made the one ElGamal chose special...I figured there must be some significant weakness in the other 5. (Some of them are just odd though). Perhaps it was somewhat arbitrary? – DrEntropy Apr 30 '15 at 00:14
  • 1
    Well, as far as I know, he ain't dead yet. Maybe a well formatted mail... – Maarten Bodewes Apr 30 '15 at 07:33
  • Well i would love to email him, but since he is CTO at Salesforce.com he is not so reachable :) – DrEntropy May 05 '15 at 02:28

0 Answers0