词条 | ElGamal signature scheme |
释义 |
The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1984.[1] The ElGamal signature algorithm is rarely used in practice. A variant developed at the NSA and known as the Digital Signature Algorithm is much more widely used. There are several other variants.[2] The ElGamal signature scheme must not be confused with ElGamal encryption which was also invented by Taher Elgamal. The ElGamal signature scheme allows a third-party to confirm the authenticity of a message. System parameters
These system parameters may be shared between users. Key generation
These steps are performed once by the signer. Signature generationTo sign a message m the signer performs the following steps.
Then the pair (r,s) is the digital signature of m. The signer repeats these steps for every signature. VerificationA signature (r,s) of a message m is verified as follows.
The verifier accepts a signature if all conditions are satisfied and rejects it otherwise. CorrectnessThe algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier. The signature generation implies Hence Fermat's little theorem implies SecurityA third party can forge signatures either by finding the signer's secret key x or by finding collisions in the hash function . Both problems are believed to be difficult. However, as of 2011 no tight reduction to a computational hardness assumption is known. The signer must be careful to choose a different k uniformly at random for each signature and to be certain that k, or even partial information about k, is not leaked. Otherwise, an attacker may be able to deduce the secret key x with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of k and the same key, then an attacker can compute x directly.[1] Existential forgeryThe original paper[1] did not include a hash function as a system parameter. The message m was used directly in the algorithm instead of H(m). This enables an attack called existential forgery, as described in section IV of the paper. Pointcheval and Stern generalized that case and described two levels of forgeries:[3]
Improved version (with a hash) is known as Pointcheval–Stern signature algorithm See also
References1. ^1 2 {{cite journal|author=T. ElGamal |title=A public key cryptosystem and a signature scheme based on discrete logarithms |journal=IEEE Trans Inf Theory |volume=31 |issue=4 |pages=469–472 |year=1985 |url=http://thiagogenez-tcc.googlecode.com/svn/trunk/article/IEEE/elGamal.pdf |deadurl=yes |archiveurl=https://web.archive.org/web/20150513050628/http://thiagogenez-tcc.googlecode.com/svn/trunk/article/IEEE/elGamal.pdf |archivedate=2015-05-13 |df= |doi=10.1109/TIT.1985.1057074 |citeseerx=10.1.1.476.4791 }} - this article appeared earlier in the proceedings to Crypto '84. {{Cryptography navbox | public-key}}{{DEFAULTSORT:Elgamal Signature Scheme}}2. ^{{cite journal |author=K. Nyberg, R. A. Rueppel |title=Message recovery for signature schemes based on the discrete logarithm problem |journal=Designs, Codes and Cryptography |volume=7 |issue=1–2 |pages=61–81 |year=1996 |doi=10.1007/BF00125076 |url=https://link.springer.com/chapter/10.1007/BFb0053434}} 3. ^{{cite journal|last1=Pointcheval|first1=David|last2=Stern|first2=Jacques|title=Security Arguments for Digital Signatures and Blind Signatures|journal=J Cryptology|date=2000|volume=13|issue=3|pages=361–396|url=http://www.math.uni-frankfurt.de/~dmst/teaching/SS2012/Vorlesung/Point.Stern.pdf|doi=10.1007/s001450010003|citeseerx=10.1.1.208.8352}} 1 : Digital signature schemes |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。