MHB How can we find the private key?

  • Thread starter Thread starter mathmari
  • Start date Start date
Click For Summary
Alice utilizes the ElGamal signature scheme with parameters p=47, q=23, and g=2, generating signatures for two messages with identical r values. The correct relations for the signatures are clarified as s1=k1^{-1}(h(m1)+ar1) and s2=k2^{-1}(h(m2)+ar2), indicating that k1 and k2 are equal due to the shared r value. By substituting the known values into these equations, two equations can be formed with the unknowns k and a. This method allows for the calculation of Alice's private key without needing to compute a discrete logarithm. The discussion emphasizes the importance of correctly interpreting the signature equations for solving the problem.
mathmari
Gold Member
MHB
Messages
4,984
Reaction score
7
Hey! :o

Alice uses the ElGamal signature scheme with the variables $p=47$, $q=23$ and $g=2$. For two different messages $m_1, m_2$ with $h(m_1)=4, h(m_2)=3$ she produces the signatures $(r_1, s_1)=(14, 8)$ and $r_2, s_2)=(14, 15)$. Calculate the private key of Alice, without calculating a discrete logarithm.

We have the following relations: $$r_1=g^{k_1} \ \ , \ \ s_1=k_1^{-1}(h(m_1)+af(r))\pmod q \\ r_1=g^{k_2} \ \ , \ \ s_2=k_2^{-1} (h(m_2)+af(r))\pmod q$$

What can we do to find $a$ ?? (Wondering)
 
Mathematics news on Phys.org
mathmari said:
Hey! :o

Alice uses the ElGamal signature scheme with the variables $p=47$, $q=23$ and $g=2$. For two different messages $m_1, m_2$ with $h(m_1)=4, h(m_2)=3$ she produces the signatures $(r_1, s_1)=(14, 8)$ and $r_2, s_2)=(14, 15)$. Calculate the private key of Alice, without calculating a discrete logarithm.

We have the following relations: $$r_1=g^{k_1} \ \ , \ \ s_1=k_1^{-1}(h(m_1)+af(r))\pmod q \\ r_1=g^{k_2} \ \ , \ \ s_2=k_2^{-1} (h(m_2)+af(r))\pmod q$$

What can we do to find $a$ ?? (Wondering)

Hi mathmari,

I don't understand the $f$ in your relations. The relations should be,

\[s_1=k_1^{-1}(h(m_1)+ar_1)\pmod q \]

\[s_2=k_2^{-1} (h(m_2)+ar_2)\pmod q$\]

Refer: https://en.wikipedia.org/wiki/ElGamal_signature_scheme

Note that, $r_1=g^{k_1}\mbox{ and }r_2=g^{k_2}$. Since $r_1=r_2$ it implies that, $k_1=k_2=k$.

Now all you a got to do is substitute the given values into the equations and you'll get two equations with $k$ and $a$ as unknowns.
 
Ok... Thanks a lot! (flower)
 
mathmari said:
Ok... Thanks a lot! (flower)

You are welcome. :)
 

Similar threads

MHB How Can You Multiply Ciphertexts in ElGamal Without Decrypting?
  • · Replies 1 ·
Replies
1
Views
2K
MHB Is ElGamal Signature Scheme Secure Without Using a Hash Function?
  • · Replies 1 ·
Replies
1
Views
2K
MHB Calculating RSA Signature at Message m=2 w/o Hash Function
  • · Replies 3 ·
Replies
3
Views
2K
MHB How can we find the decrypted message?
  • · Replies 1 ·
Replies
1
Views
2K
Atwood's machine with two connected discs
  • · Replies 1 ·
Replies
1
Views
2K
MHB What is the Rank of the Direct Sum of Torsion-free Groups?
  • · Replies 1 ·
Replies
1
Views
2K
Finding the Lagrange equations of motion for 2 sliding blocks
  • · Replies 8 ·
Replies
8
Views
4K
I Can We Practically Measure the Gravitomagnetic Effect with Spinning Cylinders?
  • · Replies 66 ·
2
Replies
66
Views
6K
MHB How Can We Find the Minimum 2-Norm of Ax-y Using an Orthogonal Matrix?
  • · Replies 4 ·
Replies
4
Views
2K
Hamiltonian of two identical spin-1/2 particles
  • · Replies 8 ·
Replies
8
Views
6K