3

DSA is an algorithm used to generate a digital signature, which consists of a pair of values $(r,s)$. The algorithm computes $r$ first and then $s$. However, if we calculate $s=0$, it says to restart the algorithm choosing a different pseudorandom integer $k$ as our starting point.

What is the purpose of this? Is a digital signature $(r,s)$ invalid if $s=0$? If so, why?

flubsy
  • 163
  • 5
  • 6
    Note that the verification algorithm for DSA involves computing the inverse of $s$ modulo $q$, which simply does not exist if $s=0$. – yyyyyyy Apr 27 '16 at 01:06
  • @yyyyyyy would you mind giving a proper answer so we can get this question off our list of unanswered questions (and you can use a community wiki if you don't want cheap rep ;) – SEJPM Apr 27 '16 at 11:47

1 Answers1

3

The algorithm needs to be restarted because the private key $x$ can be obtained when $s=0$. From:

$s=[k^{-1}( H(M) + xr)] \mod q$

We can solve for $x$ and get:

$x=\frac{-H(M)}{r} \mod q$

denryoku
  • 46
  • 3