MHB Is ElGamal Signature Scheme Secure Without Using a Hash Function?

  • Thread starter Thread starter mathmari
  • Start date Start date
AI Thread Summary
The discussion revolves around the security of the ElGamal signature scheme when not using a hash function. It highlights that signing a message directly without hashing can lead to vulnerabilities, specifically existential forgery. A user is seeking guidance on constructing a signature for a modified message based on a given signature, emphasizing the implications of the lack of hashing. The response points out that the absence of hashing makes the scheme susceptible to attacks, urging awareness of these risks. The conversation underscores the importance of incorporating hash functions in cryptographic protocols to maintain security.
mathmari
Gold Member
MHB
Messages
4,984
Reaction score
7
Hey! :o

Alice uses the ElGamal signature scheme in the group $(\mathbb{Z}/p\mathbb{Z})^{\star}$ without the use of a hash function. To sign the message $m \in (\mathbb{Z}/p\mathbb{Z})^{\star}$ she calculates the signature $(r,s)$ as follows:
she choose a random $k \in \{0, 1, \dots , q-1\}$, where $q \mid p-1$ is a prime and the order of the basis $g$, and then she calculates $$r \equiv g^k \pmod p \ \ , \ \ s \equiv k^{-1} (m+ar) \pmod q$$ where $a$ is the private key.

  1. Show that given the signature$(r, s)$ at the message $m$ we can construct the signature at the message $rm \pmod q$ (without knowing the private key of Alice).
  2. For $p=23, g=2, q=11$, we are given given the signature $(18, 3)$ at the message $m=2$. Construct a signature at the message $m'=3$ (without calculating the private key). The public key of Alice is $y=13$.

Could you give me some hints for the first question?? How can we find the signature at the message $rm \pmod q$ ?? (Wondering)
 
Mathematics news on Phys.org
mathmari said:
Hey! :o

Alice uses the ElGamal signature scheme in the group $(\mathbb{Z}/p\mathbb{Z})^{\star}$ without the use of a hash function. To sign the message $m \in (\mathbb{Z}/p\mathbb{Z})^{\star}$ she calculates the signature $(r,s)$ as follows:
she choose a random $k \in \{0, 1, \dots , q-1\}$, where $q \mid p-1$ is a prime and the order of the basis $g$, and then she calculates $$r \equiv g^k \pmod p \ \ , \ \ s \equiv k^{-1} (m+ar) \pmod q$$ where $a$ is the private key.

  1. Show that given the signature$(r, s)$ at the message $m$ we can construct the signature at the message $rm \pmod q$ (without knowing the private key of Alice).
  2. For $p=23, g=2, q=11$, we are given given the signature $(18, 3)$ at the message $m=2$. Construct a signature at the message $m'=3$ (without calculating the private key). The public key of Alice is $y=13$.

Could you give me some hints for the first question?? How can we find the signature at the message $rm \pmod q$ ?? (Wondering)

Hi mathmari,

Let me give you a hint. Probably if you are taking a Cryptography course you might have learned (which I assume seeing your previous questions about the ElGamal scheme) that the message is hashed before being encrypted using the ElGamal scheme.

In this question that hashing process was not done. This makes the scheme vulnerable to an attack known as Existential Forgery. All you got to know about this is mentioned in the Wikipedia link.

https://en.wikipedia.org/wiki/ElGamal_signature_scheme#Existential_forgery
 
Thread 'Video on imaginary numbers and some queries'
Hi, I was watching the following video. I found some points confusing. Could you please help me to understand the gaps? Thanks, in advance! Question 1: Around 4:22, the video says the following. So for those mathematicians, negative numbers didn't exist. You could subtract, that is find the difference between two positive quantities, but you couldn't have a negative answer or negative coefficients. Mathematicians were so averse to negative numbers that there was no single quadratic...
Insights auto threads is broken atm, so I'm manually creating these for new Insight articles. In Dirac’s Principles of Quantum Mechanics published in 1930 he introduced a “convenient notation” he referred to as a “delta function” which he treated as a continuum analog to the discrete Kronecker delta. The Kronecker delta is simply the indexed components of the identity operator in matrix algebra Source: https://www.physicsforums.com/insights/what-exactly-is-diracs-delta-function/ by...
Thread 'Unit Circle Double Angle Derivations'
Here I made a terrible mistake of assuming this to be an equilateral triangle and set 2sinx=1 => x=pi/6. Although this did derive the double angle formulas it also led into a terrible mess trying to find all the combinations of sides. I must have been tired and just assumed 6x=180 and 2sinx=1. By that time, I was so mindset that I nearly scolded a person for even saying 90-x. I wonder if this is a case of biased observation that seeks to dis credit me like Jesus of Nazareth since in reality...

Similar threads

Replies
3
Views
2K
Replies
1
Views
2K
Replies
2
Views
1K
Replies
1
Views
2K
Replies
6
Views
2K
Replies
2
Views
2K
Back
Top