Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
ElGamal signature scheme
open-in-new
<h2 id="overview">Overview</h2> <p>The ElGamal signature scheme is a digital signature scheme based on the algebraic properties of modular exponentiation, together with the discrete logarithm problem. The algorithm uses a key pair consisting of a public key and a private key. The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer's corresponding public key. The digital signature provides message authentication (the receiver can verify the origin of the message), integrity (the receiver can verify that the message has not been modified since it was signed) and non-repudiation (the sender cannot falsely claim that they have not signed the message). </p> <h2 id="history">History</h2> <p>The ElGamal signature scheme was described by <a href="/facts/Taher_Elgamal/mx5Ers0r">Taher Elgamal</a> in 1985.<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> It is based on the <a href="/facts/Diffie%25E2%2580%2593Hellman_problem/L5C6bEL5">Diffie–Hellman problem</a>. </p> <h2 id="operation">Operation</h2> <p>The scheme involves four operations: key generation (which creates the key pair), key distribution, signing and signature verification. </p> <h3>Key generation</h3> <p>Key generation has two phases. The first phase is a choice of algorithm parameters which may be shared between different users of the system, while the second phase computes a single key pair for one user. </p> <h4>Parameter generation</h4> <ul><li>Choose a key length N {\displaystyle N} .</li> <li>Choose a N {\displaystyle N} -bit <a href="/facts/Prime_number/L20FLkgn">prime number</a> p {\displaystyle p} </li> <li>Choose a <a href="/facts/Cryptographic_hash_function/cuxkgbST">cryptographic hash function</a> H {\displaystyle H} with output length L {\displaystyle L} bits. If L > N {\displaystyle L>N} , only the leftmost N {\displaystyle N} bits of the hash output are used.</li> <li>Choose a <a href="/facts/Generating_set_of_a_group/B9q5lnFY">generator</a> g < p {\displaystyle g<p} of the <a href="/facts/Multiplicative_group_of_integers_modulo_n/IACS6cgH">multiplicative group of integers modulo <i>p</i></a>, Z p ∗ {\displaystyle Z_{p}^{*}} .</li></ul> <p>The algorithm parameters are ( p , g ) {\displaystyle (p,g)} . These parameters may be shared between users of the system. </p> <h4>Per-user keys</h4> <p>Given a set of parameters, the second phase computes the key pair for a single user: </p> <ul><li>Choose an integer x {\displaystyle x} randomly from { 1 … p − 2 } {\displaystyle \{1\ldots p-2\}} .</li> <li>Compute y := g x mod p {\displaystyle y:=g^{x}{\bmod {p}}} .</li></ul> <p> x {\displaystyle x} is the private key and y {\displaystyle y} is the public key. </p> <h3>Key distribution</h3> <p>The signer should send the public key y {\displaystyle y} to the receiver via a reliable, but not necessarily secret, mechanism. The signer should keep the private key x {\displaystyle x} secret. </p> <h3>Signing</h3> <p>A message m {\displaystyle m} is signed as follows: </p> <ul><li>Choose an integer k {\displaystyle k} randomly from { 2 … p − 2 } {\displaystyle \{2\ldots p-2\}} with k {\displaystyle k} relatively prime to p − 1 {\displaystyle p-1} .</li> <li>Compute r := g k mod p {\displaystyle r:=g^{k}{\bmod {p}}} .</li> <li>Compute s := ( H ( m ) − x r ) k − 1 mod ( p − 1 ) {\displaystyle s:=(H(m)-xr)k^{-1}{\bmod {(}}p-1)} .</li> <li>In the unlikely event that s = 0 {\displaystyle s=0} start again with a different random k {\displaystyle k} .</li></ul> <p>The signature is ( r , s ) {\displaystyle (r,s)} . </p> <h3>Verifying a signature</h3> <p>One can verify that a signature ( r , s ) {\displaystyle (r,s)} is a valid signature for a message m {\displaystyle m} as follows: </p> <ul><li>Verify that 0 < r < p {\displaystyle 0<r<p} and 0 < s < p − 1 {\displaystyle 0<s<p-1} .</li> <li>The signature is valid if and only if g H ( m ) ≡ y r r s ( mod p ) . {\displaystyle g^{H(m)}\equiv y^{r}r^{s}{\pmod {p}}.} </li></ul> <h2 id="correctness">Correctness</h2> <p>The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier. </p><p>The computation of s {\displaystyle s} during signature generation implies </p> H ( m ) ≡ x r + s k ( mod p − 1 ) . {\displaystyle H(m)\,\equiv \,xr+sk{\pmod {p-1}}.} <p>Since g {\displaystyle g} is relatively prime to p {\displaystyle p} , </p> g H ( m ) ≡ g x r + s k ( mod p ) ≡ ( g x ) r ( g k ) s ( mod p ) ≡ ( y ) r ( r ) s ( mod p ) . {\displaystyle {\begin{aligned}g^{H(m)}&\equiv g^{xr+sk}{\pmod {p}}\\&\equiv (g^{x})^{r}(g^{k})^{s}{\pmod {p}}\\&\equiv (y)^{r}(r)^{s}{\pmod {p}}.\\\end{aligned}}} <h2 id="security">Security</h2> <p>A third party can forge signatures either by finding the signer's secret key <i>x</i> or by finding collisions in the hash function H ( m ) ≡ H ( M ) ( mod p − 1 ) {\displaystyle H(m)\equiv H(M){\pmod {p-1}}} . Both problems are believed to be difficult. However, as of 2011 no tight reduction to a <a href="/facts/Computational_hardness_assumption/ewjpb1I7">computational hardness assumption</a> is known. </p><p>The signer must be careful to choose a different <i>k</i> uniformly at random for each signature and to be certain that <i>k</i>, or even partial information about <i>k</i>, is not leaked. Otherwise, an attacker may be able to deduce the secret key <i>x</i> with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of <i>k</i> and the same key, then an attacker can compute <i>x</i> directly.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p> <h3>Existential forgery</h3> <p>The original paper<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> did not include a <a href="/facts/Cryptographic_hash_function/cuxkgbST">hash function</a> as a system parameter. The message <i>m</i> was used directly in the algorithm instead of <i>H(m)</i>. This enables an attack called <a href="/facts/Existential_forgery/zQWXx65W">existential forgery</a>, as described in section IV of the paper. Pointcheval and Stern generalized that case and described two levels of forgeries:<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p> <ol><li>The one-parameter forgery. Select an e {\displaystyle e} such that 1 < e < p − 1 {\displaystyle 1<e<p-1} . Set r := g e y mod p {\displaystyle r:=g^{e}y{\bmod {p}}} and s := − r mod ( p − 1 ) {\displaystyle s:=-r{\bmod {(p-1)}}} . Then the tuple ( r , s ) {\displaystyle (r,s)} is a valid signature for the message m = e s mod ( p − 1 ) {\displaystyle m=es{\bmod {(p-1)}}} .</li> <li>The two-parameters forgery. Select 1 < e , v < p − 1 {\displaystyle 1<e,v<p-1} , and gcd ( v , p − 1 ) = 1 {\displaystyle \gcd(v,p-1)=1} . Set r := g e y v mod p {\displaystyle r:=g^{e}y^{v}{\bmod {p}}} and s := − r v − 1 mod ( p − 1 ) {\displaystyle s:=-rv^{-1}{\bmod {(p-1)}}} . Then the tuple ( r , s ) {\displaystyle (r,s)} is a valid signature for the message m = e s mod ( p − 1 ) {\displaystyle m=es{\bmod {(p-1)}}} . The one-parameter forgery is a special case of the two-parameter forgery, when v = 1 {\displaystyle v=1} .</li></ol> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Modular_arithmetic/0wtRa5dU">Modular arithmetic</a></li> <li><a href="/facts/Digital_Signature_Algorithm/0o0FK486">Digital Signature Algorithm</a></li> <li><a href="/facts/Elliptic_Curve_Digital_Signature_Algorithm/gl0mfnS1">Elliptic Curve Digital Signature Algorithm</a></li> <li><a href="/facts/ElGamal_encryption/sKDVyMyR">ElGamal encryption</a></li> <li><a href="/facts/Schnorr_signature/YUqfT85P">Schnorr signature</a></li> <li><a href="/facts/Pointcheval%25E2%2580%2593Stern_signature_algorithm/LNhFMeuS">Pointcheval–Stern signature algorithm</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Taher ElGamal (1985). "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms" (PDF). IEEE Transactions on Information Theory. 31 (4): 469–472. CiteSeerX 10.1.1.476.4791. doi:10.1109/TIT.1985.1057074. S2CID 2973271. (conference version appeared in CRYPTO'84, pp. 10–18) <a href="https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf" target="_blank">https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>K. Nyberg, R. A. Rueppel (1996). "Message recovery for signature schemes based on the discrete logarithm problem". Designs, Codes and Cryptography. 7 (1–2): 61–81. doi:10.1007/BF00125076. S2CID 123533321. <a href="https://link.springer.com/chapter/10.1007/BFb0053434" target="_blank">https://link.springer.com/chapter/10.1007/BFb0053434</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Taher ElGamal (1985). "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms" (PDF). IEEE Transactions on Information Theory. 31 (4): 469–472. CiteSeerX 10.1.1.476.4791. doi:10.1109/TIT.1985.1057074. S2CID 2973271. (conference version appeared in CRYPTO'84, pp. 10–18) <a href="https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf" target="_blank">https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Taher ElGamal (1985). "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms" (PDF). IEEE Transactions on Information Theory. 31 (4): 469–472. CiteSeerX 10.1.1.476.4791. doi:10.1109/TIT.1985.1057074. S2CID 2973271. (conference version appeared in CRYPTO'84, pp. 10–18) <a href="https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf" target="_blank">https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Taher ElGamal (1985). "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms" (PDF). IEEE Transactions on Information Theory. 31 (4): 469–472. CiteSeerX 10.1.1.476.4791. doi:10.1109/TIT.1985.1057074. S2CID 2973271. (conference version appeared in CRYPTO'84, pp. 10–18) <a href="https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf" target="_blank">https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Pointcheval, David; Stern, Jacques (2000). "Security Arguments for Digital Signatures and Blind Signatures" (PDF). J Cryptology. 13 (3): 361–396. CiteSeerX 10.1.1.208.8352. doi:10.1007/s001450010003. S2CID 1912537. Archived from the original (PDF) on 2021-04-22. Retrieved 2019-08-17. <a href="/wiki/Jacques_Stern" target="_blank">/wiki/Jacques_Stern</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> </ol>