ElGamal signature scheme


The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.
The ElGamal signature algorithm is rarely used in practice. A variant developed at the NSA and known as the Digital Signature Algorithm is much more widely used. There are several other variants. The ElGamal signature scheme must not be confused with ElGamal encryption which was also invented by Taher Elgamal.

Overview

The ElGamal signature scheme is a digital signature scheme based on the algebraic properties of modular exponentiation, together with the discrete logarithm problem. The algorithm uses a key pair consisting of a public key and a private key. The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer's corresponding public key. The digital signature provides message authentication, integrity and non-repudiation.

History

The ElGamal signature scheme was described by Tahir Elgamal in 1985.

Operation

The scheme involves four operations: key generation, key distribution, signing and signature verification.

Key generation

Key generation has two phases. The first phase is a choice of algorithm parameters which may be shared between different users of the system, while the second phase computes a single key pair for one user.

Parameter generation

The algorithm parameters are. These parameters may be shared between users of the system.

Per-user keys

Given a set of parameters, the second phase computes the key pair for a single user:
is the private key and is the public key.

Key distribution

The signer should send the public key to the receiver via a reliable, but not necessarily secret, mechanism. The signer should keep the private key secret.

Signing

A message is signed as follows:
The signature is.

Verifying a signature

One can verify that a signature is a valid signature for a message as follows:
The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier.
The computation of during signature generation implies
Since is relatively prime to,

Security

A third party can forge signatures either by finding the signer's secret key x or by finding collisions in the hash function. Both problems are believed to be difficult. However, as of 2011 no tight reduction to a computational hardness assumption is known.
The signer must be careful to choose a different k uniformly at random for each signature and to be certain that k, or even partial information about k, is not leaked. Otherwise, an attacker may be able to deduce the secret key x with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of k and the same key, then an attacker can compute x directly.

Existential forgery

The original paper did not include a hash function as a system parameter. The message m was used directly in the algorithm instead of H. This enables an attack called existential forgery, as described in section IV of the paper. Pointcheval and Stern generalized that case and described two levels of forgeries:
  1. The one-parameter forgery. Select an such that. Set and. Then the tuple is a valid signature for the message.
  2. The two-parameters forgery. Select, and. Set and. Then the tuple is a valid signature for the message. The one-parameter forgery is a special case of the two-parameter forgery, when.