Does this simple signature scheme work?

Question

Let's say my public key is defined as $P = p \cdot G$, where $p$ is my private key and $G$ is a generator point of an elliptic curve. If I wanted to sign a message $m$, could I do the following?

Hash $m$ to a number using a hash function: $h = Hash(m)$.
Compute signature as $S = \frac{p}{h} \cdot G$.

The verification of the signature can then be done by checking that $P = Hash(m) \cdot S$.

This seems like it should work - but also seems too simple - so, I'm wondering if there is anything I'm missing here.

$1/h$ is a scalar division in the prime finite field $\mathbb{F}_q$. So $1/h = a$ where $a$ is Bezout's coefficient ($a.h+b.q=1$). — Youssef El Housni, Dec 17 '18 at 10:21

score 2 · Accepted Answer · answered Dec 17 '18 at 13:11

This signature scheme doesn't even provide UF-KOA security.

The attack is simple: When you want to forge a signature for a message $m$, given a public key $P$, simply compute $h=H(m), h'=h^{-1}\bmod q$ and $S=h'\cdot P$, with $q$ being the order of the subgroup generated by $G$ (usually the curve order). $S$ is then your forged signature for $m$.

This works as:

Does this simple signature scheme work?

1 Answers1