MHB Is ElGamal Signature Scheme Secure Without Using a Hash Function?

  • Thread starter Thread starter mathmari
  • Start date Start date
AI Thread Summary
The discussion revolves around the security of the ElGamal signature scheme when not using a hash function. It highlights that signing a message directly without hashing can lead to vulnerabilities, specifically existential forgery. A user is seeking guidance on constructing a signature for a modified message based on a given signature, emphasizing the implications of the lack of hashing. The response points out that the absence of hashing makes the scheme susceptible to attacks, urging awareness of these risks. The conversation underscores the importance of incorporating hash functions in cryptographic protocols to maintain security.
mathmari
Gold Member
MHB
Messages
4,984
Reaction score
7
Hey! :o

Alice uses the ElGamal signature scheme in the group $(\mathbb{Z}/p\mathbb{Z})^{\star}$ without the use of a hash function. To sign the message $m \in (\mathbb{Z}/p\mathbb{Z})^{\star}$ she calculates the signature $(r,s)$ as follows:
she choose a random $k \in \{0, 1, \dots , q-1\}$, where $q \mid p-1$ is a prime and the order of the basis $g$, and then she calculates $$r \equiv g^k \pmod p \ \ , \ \ s \equiv k^{-1} (m+ar) \pmod q$$ where $a$ is the private key.

  1. Show that given the signature$(r, s)$ at the message $m$ we can construct the signature at the message $rm \pmod q$ (without knowing the private key of Alice).
  2. For $p=23, g=2, q=11$, we are given given the signature $(18, 3)$ at the message $m=2$. Construct a signature at the message $m'=3$ (without calculating the private key). The public key of Alice is $y=13$.

Could you give me some hints for the first question?? How can we find the signature at the message $rm \pmod q$ ?? (Wondering)
 
Mathematics news on Phys.org
mathmari said:
Hey! :o

Alice uses the ElGamal signature scheme in the group $(\mathbb{Z}/p\mathbb{Z})^{\star}$ without the use of a hash function. To sign the message $m \in (\mathbb{Z}/p\mathbb{Z})^{\star}$ she calculates the signature $(r,s)$ as follows:
she choose a random $k \in \{0, 1, \dots , q-1\}$, where $q \mid p-1$ is a prime and the order of the basis $g$, and then she calculates $$r \equiv g^k \pmod p \ \ , \ \ s \equiv k^{-1} (m+ar) \pmod q$$ where $a$ is the private key.

  1. Show that given the signature$(r, s)$ at the message $m$ we can construct the signature at the message $rm \pmod q$ (without knowing the private key of Alice).
  2. For $p=23, g=2, q=11$, we are given given the signature $(18, 3)$ at the message $m=2$. Construct a signature at the message $m'=3$ (without calculating the private key). The public key of Alice is $y=13$.

Could you give me some hints for the first question?? How can we find the signature at the message $rm \pmod q$ ?? (Wondering)

Hi mathmari,

Let me give you a hint. Probably if you are taking a Cryptography course you might have learned (which I assume seeing your previous questions about the ElGamal scheme) that the message is hashed before being encrypted using the ElGamal scheme.

In this question that hashing process was not done. This makes the scheme vulnerable to an attack known as Existential Forgery. All you got to know about this is mentioned in the Wikipedia link.

https://en.wikipedia.org/wiki/ElGamal_signature_scheme#Existential_forgery
 

Thread 'What Exactly is Dirac’s Delta Function? - Insight'

Insights auto threads is broken atm, so I'm manually creating these for new Insight articles. In Dirac’s Principles of Quantum Mechanics published in 1930 he introduced a “convenient notation” he referred to as a “delta function” which he treated as a continuum analog to the discrete Kronecker delta. The Kronecker delta is simply the indexed components of the identity operator in matrix algebra Source: https://www.physicsforums.com/insights/what-exactly-is-diracs-delta-function/ by...
View full post »

Thread 'Fermat's Last Theorem'

Fermat's Last Theorem has long been one of the most famous mathematical problems, and is now one of the most famous theorems. It simply states that the equation $$ a^n+b^n=c^n $$ has no solutions with positive integers if ##n>2.## It was named after Pierre de Fermat (1607-1665). The problem itself stems from the book Arithmetica by Diophantus of Alexandria. It gained popularity because Fermat noted in his copy "Cubum autem in duos cubos, aut quadratoquadratum in duos quadratoquadratos, et...
View full post »
Thread 'Imaginary Pythagorus'

Thread 'Imaginary Pythagorus'

I posted this in the Lame Math thread, but it's got me thinking. Is there any validity to this? Or is it really just a mathematical trick? Naively, I see that i2 + plus 12 does equal zero2. But does this have a meaning? I know one can treat the imaginary number line as just another axis like the reals, but does that mean this does represent a triangle in the complex plane with a hypotenuse of length zero? Ibix offered a rendering of the diagram using what I assume is matrix* notation...
View full post »

Similar threads

MHB Calculating RSA Signature at Message m=2 w/o Hash Function
Replies
3
Views
2K
MHB How can we find the private key?
Replies
3
Views
2K
MHB How Can You Multiply Ciphertexts in ElGamal Without Decrypting?
Replies
1
Views
2K
MHB How can we find the decrypted message?
Replies
1
Views
2K
MHB Number of natural numbers that have primitive roots
Replies
5
Views
1K
MHB Why do we get like that the message?
Replies
2
Views
994
MHB Every Cauchy sequence converges
Replies
1
Views
2K
MHB Pythagorean Triples- Why is this the proof?
Replies
6
Views
2K
Polynomial finite fields; ElGamal decryption
Replies
2
Views
2K
I Meaning of "identify" & variations in different math context
Replies
5
Views
516

Hot Threads

Recent Insights

Back
Top