1

Consider a variant of DSA in which the message space is $\mathbb Z_q$ and the hash function is replaced by the identity function. (So the second component of the signature is now $s := k^{−1} \cdot ( m + xr ) \mod q $). Show that this variant is not secure.

How would one go about this problem?

Bissi
  • 174
  • 6
badoo
  • 33
  • 3
  • Possible duplicate of https://crypto.stackexchange.com/questions/44862/ecdsa-signature-without-hashing-or-with-offloaded-hash – Bissi Jan 23 '19 at 20:16
  • @badoo Feel free to remove questions once you've found a duplicate with a good answer otherwise it takes time out of everybody that's doing the review rounds. I'll vote it up before closing it so you can upvote the other question/answers. – Maarten Bodewes Jan 24 '19 at 12:12

0 Answers0