ECE596C: Handout #14

Digital Signatures(2)

Electrical and Computer Engineering, University of Arizona,

Loukas Lazos

Abstract. In this lecture we analyze the security of the ElGamal signature scheme and de-
scribe the Schnorr and DSA signature schemes. Readings from Chapter 7 of D. Stinson.

1 ElGamal Based Signature Scheme

Recall that the public key is (p, α, β) where β = αq , where 0 ≤ q ≤ p − 1. Alice’s private key is
q ∈ Zp∗ , and α is a primitive element of the group Zp∗ .

1. Choose a random number k such that 1 ≤ k ≤ p − 2.

2. sigK (m, k) = (γ, δ); γ = αk mod p; δ = (m − qγ)k −1 mod (p − 1).
3. Alice sends (m, sigK (m, k)) to Bob.
?
4. Bob verifies if: β γ γ δ ≡ αm mod p.

Why does the verification work?

During verification
β γ γ δ ≡ αqγ αkδ mod p ≡ αm mod p, (1)
where we used that qγ + kδ ≡ m (mod p − 1). We can also find the signing algorithm constructively.
Let αm ≡ β γ γ δ (mod p). Then set γ = αk (mod p) and β = αq . Then we obtain

αm ≡ αqγ αkδ (mod p). (2)

Since α is a primitive element modulo p the above congruence is true only if the exponents are
congruent modulo (p − 1). That is,

m ≡ qγ + kδ( mod p − 1). (3)

Then we can solve for δ and obtain δ = (m − qγ)k −1 (mod p − 1).

Example of an ElGamal signature computation (ex. 7.1 in Stinson)–Let p = 467, α =

2, q = 127

β = αq mod p (4)
= 2127 mod 467 (5)
= 132. (6)

Let Alice sign the message m = 100 She first chooses a random number k ∈ Z∗p−1 . Let this
number be k = 213 Then she computes

γ = αk mod p = 2213 mod 467 = 29. (7)

2 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

and
δ = (m − qγ)k −1 mod (p − 1) = (100 − 2 × 29)431 mod 466 = 51. (8)
The (γ, δ) is the signature for message m. Anyone can verify that

β γ γ δ ≡ αm (mod p). (9)

1.1 Security of ElGamal Singature Scheme

Suppose that Eve wants to find the signature for message m. One way to do so is choose γ ran-
domly and then try to find δ such as the pair γ, δ is a valid pair. That is it must find a δ such that
β γ γ δ ≡ αm (mod p). But this is equivalent to solving the discrete logarithm logγ αx β −γ .

Alternatively, it may choose δ and try to guess γ. This is equivalent to trying to solve the
congruence

β γ γ δ ≡ αm (mod p). (10)

This problem is assumed hard to solve without any formal proof. Alternatively it may try to find
some combination of γ, δ simultaneously so as to satisfy the verification algorithm. Again without
formal proof this is assumed hard to do.

Moreover, Eve may choose γ, δ and try to find a message m for which the chosen signature is
valid. This is hard to do due to the discrete logarithm problem as Eve would have to compute
logα β γ γ δ .

What Eve can do is find an existential forgery by simultaneously choosing m, γ, δ. Let two integers
i, j ∈ Zp−1 and set γ = αi β j mod p. Then during verification

αm ≡ β γ (αi β j )δ (mod p). (11)

αm−iδ ≡ β γ+jδ (mod p). (12)

This is satisfied if:

m − iδ ≡ 0 mod p − 1 (13)
γ + jδ ≡ 0 mod p − 1. (14)

Given i, j we can solve and obtain

γ = αi β j mod p, (15)
δ = −γj −1 mod (p − 1), (16)
m = −γij −1 mod (p − 1). (17)

One should be careful in the way that the ElGamal scheme is used. For, example one should not
use the same k to produce two signatures, since in that case Eve can compute q. For two signatures
(γ, δ1 ) for message m1 and (γ, δ2 for m2 we write the two verification congruences
 Handout # 14 3

β γ γ δ1 ≡ αm1 (mod p). (18)

and
β γ γ δ2 ≡ αm2 (mod p). (19)
Thus we can write
αm1 −m2 ≡ γ δ1 −δ2 mod p
≡ αk(δ1 −δ2 ) mod p. (20)
The second equation is equivalent to
m1 − m2 ≡ k(δ1 − δ2 ) mod (p − 1). (21)
Let d be the gcd(δ1 − δ2 , p − 1). Since d|(p − 1) and d|(δ1 − δ2 ) it follows that d|(m1 − m2 ). Let,

m1 − m2
m′ =
d
′ δ1 − δ2
m =
d
′ p−1
m = .
d
Then m′ ≡ kδ ′ mod p′ . Since gcd(δ ′ , p′ ) = 1 we can compute the multiplicative inverse of δ ′
modulo p′ . Let ǫ = (δ ′ )−1 mod p. Then the value of k can be computed to be
k = m′ ǫ mod p′ . (22)
There are d possible values of k for which the above equation is true.

k = m′ ǫ + ip′ mod (p − 1), (23)

with 0 ≤ i ≤ d − 1. We can find the right one by checking the congruence:

γ ≡ αk mod p. (24)
Then from δ Eve can compute the private key q.

1.2 Schnorr Signature Scheme

This is a variant of ElGamal signature scheme. ElGamal requires a modulus of at least 1024 bits,
thus leading to a signature of length 2048 bits. Schnorr’s scheme produces much shorter signatures
1. Pick p be long enough so that the DLP problem is intractable.
2. Pick r such that r|(p − 1).
3. Let α ∈ Z∗p be the rth root of 1 modulo p, and β = αq (mod p), 0 ≤ q ≤ r − 1. The public key
is (p, r, α, β), and the private key is q.
4. Choose k such that 1 ≤ k ≤ r − 1.
5. sigK (m, k) = (γ, δ); γ = h(m||αk mod p); δ = (k + qγ) mod r.
?
6. Bob verifies h(m||αδ β −γ mod p) = γ.
The p, r are primes of the order of 1024 and 160 bits respectively In the Schnorr scheme a message
of log2 r bits can be signed using only a 2 log2 r-bit sequence. The α is the rth root of 1 modulo p.
To construct α such that α is the rth root of 1 modulo p, one can simply find a primitive element
(p−1)
α0 ∈ Zp and define α = α0 r
mod p.
4 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

1.3 Example for Schnorr Signature

Let r = 101, p = 78r + 1 = 7879. α = 378 mod 7879 ≡ 170 mod 7879.

As a check to see if α ∈ Zp∗ is indeed a primitive element of order r, it must be that αr ≡ 1 mod p.
We see that, 170101 ≡ 1 mod 7879.

Let a = 75, then, β = αa ≡ 4567 mod 7879. Choose k = 50, then, αk mod p = 17050 mod 7879 ≡
2518 mod 7879.

If Alice has a message m then, γ = h(m||2518). Assume γ = h(m||2518) = 96 for some m.

Then we can compute, δ = (k + aγ) mod r=50 + 75 × 96 mod 101 ≡ 79 mod 101.
Therefore, sigK (m, 50) = (γ, δ) = (96, 79). Alice sends, (m, sigK (m, k)), to Bob.

Bob first computes: αδ β −γ = 17079 4567−96 mod 7879 ≡ 2518 mod 7879.
? ?
Bob can then verify if: h(m||αδ β −γ ) = γ, i.e. h(m||2518) = 96.

2 The Digital Signature Algorithm (DSA)

DSA is a variant of the ElGamal scheme and the Schnorr scheme.

1. Pick p prime of length L with 512 ≤ L ≤ 1024 and L ≡ 0 (mod 64) such that the DLP problem
is intractable.
2. Pick r prime of length 160 bits with r|p − 1. Let α ∈ Z∗p be the rth root of 1 modulo p. i.e.,
αr ≡ 1 (mod p). Let P = {0, 1}∗ and A = Z∗r × Z∗r .
3. Set β ≡ αq (mod p), where 0 ≤ q ≤ r − 1.
4. Let p, r, α, β be the public key and q be the private key.
5. Pick a secret random number k with 1 ≤ k ≤ r − 1 and set sigK (m, k) = (γ, δ) with

γ = (αk mod p) mod r, (25)

−1
δ = (SHA − 1(m) + qγ)k mod r. (26)

6. If choice of k yields γ = 0 or δ = 0 a new random value for k is chosen (see homework)).

7. The verification can be done by performing the following:

e1 = SHA − 1(m)δ −1 mod r,

−1
e2 = γδ mod r,

(αe1 β e2 mod p) mod r = γ.

Assume that the computation of δ in the ElGamal scheme is changed for a “-” to a “+.”

δ = (m + qγ)k −1 (mod p − 1).

The verification condition in this case changes to:

αm β γ ≡ γ δ (mod p). (27)

 Handout # 14 5

Note in this equation that α has an order r (since αr ≡ 1 (mod p)) and β, γ are also of order
r since they are powers of α. Hence we can reduce all exponents in (27) by modulo r and the
congruence would still hold. So first δ is brought down to Zr

δ = (m + qγ)k −1 (mod r).

Similarly for γ

γ′ = γ mod r = (αk mod p) mod r.

By replacing γ with γ ′ in the expression of δ the congruence remains unchanged (since δ is now
considered mod r). Hence, one can write :

δ = (m + qγ ′ )k −1 mod r.

The verification equation now becomes

′
αm β γ ≡ γ δ .

We raise both sides to the power of δ −1 mod r and obtain:

−1 ′ −1
αmδ βγ δ
mod p ≡ γ.

Now we reduce both sides modulo r

−1 ′ −1
(αmδ βγ δ
mod p) mod r ≡ γ mod r. = γ ′ .

This yields the final verification in the DSA scheme, with m being replaced with SHA − 1(m).

3 Provably Secure Signatures

3.1 One-time Signatures

One-time signatures are signatures that can only be used once, to prove the authenticity of the
source. A simple way of constructing such a signature is through the use of a one-way hash function.
This scheme is known as a the Lamport Signature Scheme.

1. Let P = {0, 1}k where k is a positive integer number. Let f : Y → Z be an one-way function
and let A = Y k
2. Choose yi,j ∈ Y at random with 1 ≤ i ≤ k and j = 0, 1 and set zi,j = f (yi,j ).
3. Then K = (yi,j , zi,j , 1 ≤ i ≤ k, j = 0, 1), with y’s being the private key and z’s being the public
key.
4. The signature is sigK(m1 , . . . , mk ) = (y1,m1 , y2,m2 , . . . , yk,mk ).
5. Verification is done by verK ((m1 , . . . , mk ), (a1 , . . . , ak )) ⇔ f (ai ) = zi,mi , 1 ≤ i ≤ k.

Example (Stinson 7.6) Let f (m) = αm mod p. and p=7879, and α = 3 (why is this a one-way
function?) Let k = 3, and m = 110. Then Alice randomly selects six random numbers that will be
her private key.
6 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

y1,0 = 5831
y1,1 = 735
y2,0 = 803
y2,1 = 2467
y3,0 = 4285
y3,1 = 6449. (28)

Then Alice computes the public keys from the private keys.

z1,0 = 2009
z1,1 = 3810
z2,0 = 4672
z2,1 = 4721
z3,0 = 268
z3,1 = 5731. (29)

The signature for m = 110 is sigK (110) = (y1,1 , y2,1 , y3,0 = (735, 2467, 4285). To verify the
signature, Bob computes

3735 = 3810
32467 = 4721
34285 = 268. (30)

As you note essentially Alice reveals its private keys and hence, the signature can only used once.
It is very easy to see if two messages are signed with the same signature, then Eve can manufacture the
signature for a third message. For example, given the signatures for messages m1 = 011, m2 = 101,
Eve can construct the signature for m3 = 111, and m4 = 001. Why is Lamport Signature Scheme
not a practical one?

4 Undeniable Digital Signatures

Undeniable digital signatures provide a means where a signature can be verified only with the signer’s
consent. This prevents anyone from being able to verify then validity of a signature unless the signers
wants to. The outline of the protocol works as follows:

1. Alice provides a signature to Bob.

2. Bob generates a random number and sends it to Alice.
3. Alice uses the random number and her private key to perform a calculation that only she could
perform and sends the result to Bob.
4. Bob confirms the result.

An example of an undeniable digital signature scheme is as follows:

 Handout # 14 7

1. A large prime p and a primitive element g are made public and are used by a group of signers
instead of a single one.
2. Alice has a private key x and a public key K = g x mod p.
3. To sign a message M Alice computes z = M x mod p and uses z as the signature.
4. Bob chooses two random numbers a, b and sends to Alice

c = z a (g x )b mod p.
−1
5. Alice computes t = x mod (p − 1) and then sends to Bob

d = ct mod p
a b
6. Bob verifies that d ≡ M g mod p.

5 Designated Confirmer Signatures

Alice wants to sign a message so that Bob can verify the signature, but nobody else shall be able to
verify without the consent of Carol. Alice delegated her authority to Carol so that Carol can provide
necessary information for any other party to verify Alice’s signature. This is required if for example
the authority to verify signatures is delegated to some copyright office or government agency. Alice
involves Carol’s public key in the computation, so that Carol gains the privilege of allowing signature
verification.

6 Proxy Signatures
A proxy signature scheme allows for Bob to sign messages on behalf of Alice. Bob must be able to
sign messages without knowing the private key of Alice. Proxy signatures must satisfy the following
requirements:
– Distinguishability: Proxy signatures must be distinguishable from regular ones.
– Unforgeability: Only Bob and Alice must be able to generate a signature.
– Proxy signer’s deviation: Bob shall not be able to generate a regular signature.
– Verifiability: Any verifier must be convinced that Bob is authorized to sign messages of Alice.
– Identifiability: Alice must be able to verify the identity of the proxy from the proxy signature.
– Undeniability: Bob cannot disavow a proxy signature he created.

7 Group Signatures
Group signatures are a way of signing messages were anyone can verify that the entity who signed is
part of the group without being able to identify who signed. In case that is needed, the anonymity
of the signer can be revoked. The following properties must be satisfied.
– Unforgeability: Only members of the group must be able to sign messages.
– Verifiability: Anyone can verify that a message was signed by a member of the group.
– Anonymity: No one can determine which member signed the message.
– Revocability: In the case of dispute, the identity of a signer can be revealed using a trapdoor.
– Unlinkability: Given two messages and their signatures, we cannot tell if the signatures were
from the same signer or not.
– No Framing: Even if all other group members (and the managers) collude, they cannot forge a
signature for a non-participating group member.
8 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

7.1 A Group Signature Using a Trusted Arbitrator (manager)

1. The manager generates a large number of public/private key pairs to distribute to each member
of the group. Every member obtains more than one pair and all keys are unique.
2. The manager then publishes all public keys in a random order without publishing the assignment
of keys to different members.
3. When a member wants to sign a message, it just randomly selects one key pair from its list and
signs the message.
4. Anyone who wants to verify a signature looks up the public key corresponding to the private
key with which the message was signed.
5. In case of a dispute, the manager can identify the user by simply looking at the assignment.

Other types of protocols have been proposed that remove the necessity of an arbitrator.

8 Ring Signatures

Very similar to group signatures but it is impossible to revoke the anonymity provided by the ring
signature. That is, once a message is signed anyone can verify that the signature belongs to a
particular group, but it is impossible to tell to which one. This type of signature was published as
a method to leak a secret without being detected.