MHB Is ElGamal Signature Scheme Secure Without Using a Hash Function?

  • Thread starter Thread starter mathmari
  • Start date Start date
AI Thread Summary
The discussion revolves around the security of the ElGamal signature scheme when not using a hash function. It highlights that signing a message directly without hashing can lead to vulnerabilities, specifically existential forgery. A user is seeking guidance on constructing a signature for a modified message based on a given signature, emphasizing the implications of the lack of hashing. The response points out that the absence of hashing makes the scheme susceptible to attacks, urging awareness of these risks. The conversation underscores the importance of incorporating hash functions in cryptographic protocols to maintain security.
mathmari
Gold Member
MHB
Messages
4,984
Reaction score
7
Hey! :o

Alice uses the ElGamal signature scheme in the group $(\mathbb{Z}/p\mathbb{Z})^{\star}$ without the use of a hash function. To sign the message $m \in (\mathbb{Z}/p\mathbb{Z})^{\star}$ she calculates the signature $(r,s)$ as follows:
she choose a random $k \in \{0, 1, \dots , q-1\}$, where $q \mid p-1$ is a prime and the order of the basis $g$, and then she calculates $$r \equiv g^k \pmod p \ \ , \ \ s \equiv k^{-1} (m+ar) \pmod q$$ where $a$ is the private key.

  1. Show that given the signature$(r, s)$ at the message $m$ we can construct the signature at the message $rm \pmod q$ (without knowing the private key of Alice).
  2. For $p=23, g=2, q=11$, we are given given the signature $(18, 3)$ at the message $m=2$. Construct a signature at the message $m'=3$ (without calculating the private key). The public key of Alice is $y=13$.

Could you give me some hints for the first question?? How can we find the signature at the message $rm \pmod q$ ?? (Wondering)
 
Mathematics news on Phys.org
mathmari said:
Hey! :o

Alice uses the ElGamal signature scheme in the group $(\mathbb{Z}/p\mathbb{Z})^{\star}$ without the use of a hash function. To sign the message $m \in (\mathbb{Z}/p\mathbb{Z})^{\star}$ she calculates the signature $(r,s)$ as follows:
she choose a random $k \in \{0, 1, \dots , q-1\}$, where $q \mid p-1$ is a prime and the order of the basis $g$, and then she calculates $$r \equiv g^k \pmod p \ \ , \ \ s \equiv k^{-1} (m+ar) \pmod q$$ where $a$ is the private key.

  1. Show that given the signature$(r, s)$ at the message $m$ we can construct the signature at the message $rm \pmod q$ (without knowing the private key of Alice).
  2. For $p=23, g=2, q=11$, we are given given the signature $(18, 3)$ at the message $m=2$. Construct a signature at the message $m'=3$ (without calculating the private key). The public key of Alice is $y=13$.

Could you give me some hints for the first question?? How can we find the signature at the message $rm \pmod q$ ?? (Wondering)

Hi mathmari,

Let me give you a hint. Probably if you are taking a Cryptography course you might have learned (which I assume seeing your previous questions about the ElGamal scheme) that the message is hashed before being encrypted using the ElGamal scheme.

In this question that hashing process was not done. This makes the scheme vulnerable to an attack known as Existential Forgery. All you got to know about this is mentioned in the Wikipedia link.

https://en.wikipedia.org/wiki/ElGamal_signature_scheme#Existential_forgery
 
Seemingly by some mathematical coincidence, a hexagon of sides 2,2,7,7, 11, and 11 can be inscribed in a circle of radius 7. The other day I saw a math problem on line, which they said came from a Polish Olympiad, where you compute the length x of the 3rd side which is the same as the radius, so that the sides of length 2,x, and 11 are inscribed on the arc of a semi-circle. The law of cosines applied twice gives the answer for x of exactly 7, but the arithmetic is so complex that the...

Similar threads

Replies
3
Views
2K
Replies
1
Views
2K
Replies
2
Views
1K
Replies
1
Views
2K
Replies
6
Views
2K
Replies
2
Views
2K
Back
Top