In Elgamal signature scheme $\text{sig}_{k_{pr}}(x,k_E)=(r,s)$, $s=0$ is not allowed. How does this lead to finding the private key $d$?
Asked
Active
Viewed 227 times
1
-
Did you check that the signature can be verifiable? – kelalaka Jan 04 '22 at 16:45
-
1Thanks. For verification we should have $\beta^r.r^s \bmod p=\alpha^x$, which in this particular case leads to $\alpha^{d.r+0}\neq \alpha^x$. And using hash functions will not solve this problem, is it true? – Mohammadsadeq Borjiyan Jan 04 '22 at 19:39
-
The $m$ should be already the hash of the message, otherwise, the signature space will be limited. I couldn't find a dupe for this. If you want you can write an answer to your question. – kelalaka Jan 04 '22 at 19:55
-
Thanks dear Henry. – Mohammadsadeq Borjiyan Jan 04 '22 at 20:55
1 Answers
1
For $s=0$, we will have problem verifying the signature. For verification, we should have $\beta^r \cdot r^s=\alpha^x$. This special case, $s=0$, leads to $\beta^r \cdot r^0=\beta^r=\alpha^{d \cdot r}$ which must be equal to $\alpha^x$, i.e. $d \cdot r=x$, but $d \cdot r$ is equal for every $x$ and this have no meaning.
tur11ng
- 962
- 4
- 22
-
That is more than that. $r$ is public in the signature, then you find the $d$ :) – kelalaka Jan 04 '22 at 21:06