|
|
| Line 1: |
Line 1: |
| The '''ElGamal signature scheme''' is a [[digital signature]] scheme which is based on the difficulty of computing [[discrete logarithm]]s. It was described by [[Taher ElGamal]] in 1984.<ref name="ElgamalOriginalArticle">{{cite journal |author=T. ElGamal |title=A public key cryptosystem and a signature scheme based on discrete logarithms |journal=IEEE Trans inf Theo |volume=31 |issue=4 |pages=469–472 |year=1985 |url=http://thiagogenez-tcc.googlecode.com/svn/trunk/article/IEEE/elGamal.pdf}} - this article appeared earlier in the [http://www.informatik.uni-trier.de/~ley/db/conf/crypto/crypto84.html proceedings to Crypto '84].</ref>
| | They contact me Emilia. To gather badges is what her family members and her appreciate. California is our beginning place. My day job is a meter reader.<br><br>My webpage :: [http://Uin.cc/dietfooddelivery78594 uin.cc] |
| | |
| The ElGamal signature algorithm described in this article is rarely used in practice. A variant developed at [[NSA]] and known as the [[Digital Signature Algorithm]] is much more widely used. There are several other variants.<ref>{{cite journal |author=K. Nyberg, R. A. Rueppel |title=Message recovery for signature schemes based on the discrete logarithm problem |journal=Designs, Codes and Cryptography |volume=7 |issue=1-2 |pages=61–81 |year=1996 |doi=10.1007/BF00125076 |url=http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/E94/182.PDF}}</ref> The ElGamal signature scheme must not be confused with [[ElGamal encryption]] which was also invented by Taher ElGamal.
| |
| | |
| The ElGamal signature scheme allows a third-party to confirm the authenticity of a message sent over an insecure channel.
| |
| | |
| ==System parameters==
| |
| * Let ''H'' be a [[cryptographic hash function|collision-resistant hash function]].
| |
| * Let ''p'' be a large [[prime number|prime]] such that computing [[discrete logarithm]]s [[modular arithmetic|modulo]] ''p'' is difficult.
| |
| * Let ''g'' < ''p'' be a randomly chosen [[Generating set of a group|generator]] of the [[Multiplicative group of integers modulo n|multiplicative group of integers modulo ''p'']] <math>Z_p^*</math>.
| |
| | |
| These system parameters may be shared between users.
| |
| | |
| ==Key generation==
| |
| * Randomly choose a secret key ''x'' with 1 < ''x'' < ''p'' − 1.
| |
| * Compute ''y'' = ''g''<sup> ''x''</sup> mod ''p''.
| |
| * The public key is (''p'', ''g'', ''y'').
| |
| * The secret key is ''x''.
| |
| These steps are performed once by the signer.
| |
| | |
| ==Signature generation==
| |
| To sign a message ''m'' the signer performs the following steps.
| |
| * Choose a random ''k'' such that 0 < ''k'' < ''p'' − 1 and gcd(''k'', ''p'' − 1) = 1.
| |
| * Compute <math> r \, \equiv \, g^k \pmod p</math>.
| |
| * Compute <math> s \, \equiv \, (H(m)-x r)k^{-1} \pmod{p-1}</math>.
| |
| * If <math>s=0</math> start over again.
| |
| Then the pair (''r'',''s'') is the digital signature of ''m''.
| |
| The signer repeats these steps for every signature.
| |
| | |
| ==Verification==
| |
| A signature (''r'',''s'') of a message ''m'' is verified as follows.
| |
| * <math>0<r<p</math> and <math>0<s<p-1</math>.
| |
| * <math> g^{H(m)} \equiv y^r r^s \pmod p.</math>
| |
| The verifier accepts a signature if all conditions are satisfied and rejects it otherwise.
| |
| | |
| ==Correctness==
| |
| The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier.
| |
| | |
| The signature generation implies
| |
| : <math> H(m) \, \equiv \, x r + s k \pmod{p-1}.</math> | |
| Hence [[Fermat's little theorem]] implies
| |
| :<math> | |
| \begin{align}
| |
| g^{H(m)} & \equiv g^{xr} g^{ks} \\
| |
| & \equiv (g^{x})^r (g^{k})^s \\
| |
| & \equiv (y)^r (r)^s \pmod p.\\
| |
| \end{align}
| |
| </math>
| |
| | |
| ==Security==
| |
| A third party can forge signatures either by finding the signer's secret key ''x'' or by finding collisions in the hash function <math>H(m) \equiv H(M) \pmod{p-1}</math>. Both problems are believed to be difficult. However, as of 2011 no tight reduction to a [[computational hardness assumption]] is known.
| |
| | |
| The signer must be careful to choose a different ''k'' uniformly at random for each signature and to be certain that ''k'', or even partial information about ''k'', is not leaked. Otherwise, an attacker may be able to deduce the secret key ''x'' with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of ''k'' and the same key, then an attacker can compute ''x'' directly.<ref name="ElgamalOriginalArticle" />
| |
| | |
| ==See also==
| |
| * [[Modular arithmetic]]
| |
| * [[Digital Signature Algorithm]]
| |
| * [[Elliptic Curve DSA]]
| |
| * [[ElGamal encryption]]
| |
| * [[Schnorr signature]]
| |
| | |
| ==References==
| |
| {{reflist}}
| |
| | |
| {{Cryptography navbox | public-key}}
| |
| | |
| {{DEFAULTSORT:Elgamal Signature Scheme}}
| |
| [[Category:Digital signature schemes]]
| |
They contact me Emilia. To gather badges is what her family members and her appreciate. California is our beginning place. My day job is a meter reader.
My webpage :: uin.cc