ElGamal signature scheme
Encyclopedia
The ElGamal signature scheme is a digital signature
scheme which is based on the difficulty of computing discrete logarithm
s. It was described by Taher ElGamal
in 1984.
The ElGamal signature algorithm described in this article is rarely used in practice. A variant developed at NSA and known as the Digital Signature Algorithm
is much more widely used. There are several other variants. The ElGamal signature scheme must not be confused with ElGamal encryption
which was also invented by Taher ElGamal.
The ElGamal signature scheme allows that a verifier can confirm the authenticity of a message m sent by the signer sent to him over an insecure channel.
These system parameters may be shared between users.
These steps are performed once by the signer.
Then the pair (r,s) is the digital signature of m.
The signer repeats these steps for every signature.
The verifier accepts a signature if all conditions are satisfied and rejects it otherwise.
The signature generation implies
Hence Fermat's little theorem
implies
. Both problems are believed to be difficult. However, as of 2011 no tight reduction to a computational hardness assumption is known.
The signer must be careful to choose a different k uniformly at random for each signature and to be certain that k, or even partial information about k, is not leaked. Otherwise, an attacker may be able to deduce the secret key x with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of k and the same key, then an attacker can compute x directly.
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
scheme which is based on the difficulty of computing discrete logarithm
Discrete logarithm
In mathematics, specifically in abstract algebra and its applications, discrete logarithms are group-theoretic analogues of ordinary logarithms. In particular, an ordinary logarithm loga is a solution of the equation ax = b over the real or complex numbers...
s. It was described by Taher ElGamal
Taher Elgamal
Dr. Taher Elgamal is an Egyptian cryptographer. Elgamal is sometimes written as El Gamal or ElGamal, but Elgamal is now preferred...
in 1984.
The ElGamal signature algorithm described in this article is rarely used in practice. A variant developed at NSA and known as the Digital Signature Algorithm
Digital Signature Algorithm
The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
is much more widely used. There are several other variants. The ElGamal signature scheme must not be confused with ElGamal encryption
ElGamal encryption
In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1984. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of...
which was also invented by Taher ElGamal.
The ElGamal signature scheme allows that a verifier can confirm the authenticity of a message m sent by the signer sent to him over an insecure channel.
System parameters
- Let H be a collision-resistant hash functionCryptographic hash functionA cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
. - Let p be a large primePrime numberA prime number is a natural number greater than 1 that has no positive divisors other than 1 and itself. A natural number greater than 1 that is not a prime number is called a composite number. For example 5 is prime, as only 1 and 5 divide it, whereas 6 is composite, since it has the divisors 2...
such that computing discrete logarithmDiscrete logarithmIn mathematics, specifically in abstract algebra and its applications, discrete logarithms are group-theoretic analogues of ordinary logarithms. In particular, an ordinary logarithm loga is a solution of the equation ax = b over the real or complex numbers...
s moduloModular arithmeticIn mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
p is difficult. - Let g < p be a randomly chosen generator of the multiplicative group of integers modulo pMultiplicative group of integers modulo nIn modular arithmetic the set of congruence classes relatively prime to the modulus n form a group under multiplication called the multiplicative group of integers modulo n. It is also called the group of primitive residue classes modulo n. In the theory of rings, a branch of abstract algebra, it...
.
These system parameters may be shared between users.
Key generation
- Choose randomly a secret key x with 1 < x < p − 1.
- Compute y = g x mod p.
- The public key is (p, g, y).
- The secret key is x.
These steps are performed once by the signer.
Signature generation
To sign a message m the signer performs the following steps.- Choose a random k such that 0 < k < p − 1 and gcd(k, p − 1) = 1.
- Compute
. - Compute
. - If
start over again.
Then the pair (r,s) is the digital signature of m.
The signer repeats these steps for every signature.
Verification
A signature (r,s) of a message m is verified as follows.-
and 
. -
The verifier accepts a signature if all conditions are satisfied and rejects it otherwise.
Correctness
The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier.The signature generation implies
Hence Fermat's little theorem
Fermat's little theorem
Fermat's little theorem states that if p is a prime number, then for any integer a, a p − a will be evenly divisible by p...
implies
Security
A third party can forge signatures either by finding the signer's secret key x or by finding collisions in the hash function. Both problems are believed to be difficult. However, as of 2011 no tight reduction to a computational hardness assumption is known.The signer must be careful to choose a different k uniformly at random for each signature and to be certain that k, or even partial information about k, is not leaked. Otherwise, an attacker may be able to deduce the secret key x with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of k and the same key, then an attacker can compute x directly.
See also
- Modular ArithmeticModular arithmeticIn mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
- Digital Signature AlgorithmDigital Signature AlgorithmThe Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
- Elliptic Curve DSAElliptic Curve DSAThe Elliptic Curve Digital Signature Algorithm is a variant of the Digital Signature Algorithm which uses Elliptic curve cryptography.-Key and signature size comparison to DSA:...
- ElGamal encryptionElGamal encryptionIn cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1984. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of...
- Schnorr signatureSchnorr signatureIn cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm. Its security is based on the intractability of certain discrete logarithm problems. It is considered the simplest digital signature scheme to be provably secure in a random oracle model . It is...