270 10 Digital Signatures

Fig. 10.2 Principle of EMSA-PSS encoding

10.3 The Elgamal Digital Signature Scheme

The Elgamal signature scheme, which was published in 1985, is based on the diffi-
culty of computing discrete logarithms (cf. Chap. 8). Unlike RSA, where encryption
and digital signature are almost identical operations, the Elgamal digital signature
is quite different from the encryption scheme with the same name.

10.3.1 Schoolbook Elgamal Digital Signature

Key Generation

As with every public-key scheme, there is a set-up phase during which the keys are
computed. We start by finding a large prime p and constructing a discrete logarithm
problem as follows:
10.3 The Elgamal Digital Signature Scheme 271

Key Generation for Elgamal Digital Signature

1. Choose a large prime p.

2. Choose a primitive element α of Z∗p or a subgroup of Z∗p .
3. Choose a random integer d ∈ {2, 3, . . . , p − 2}.
4. Compute β = α d mod p .

The public key is now formed by k pub = (p, α , β ), and the private key by k pr = d.

Signature and Verification

Using the private key and the parameters of the public key, the signature

sigk pr (x, kE ) = (r, s)

for a message x is computed during the signing process. Note that the signature
consists of two integers r and s. The signing consists of two main steps: choosing a
random value kE , which forms an ephemeral private key, and computing the actual
signature of x.

Elgamal Signature Generation

1. Choose a random ephemeral key kE ∈ {0, 1, 2, . . . , p − 2} such that

gcd(kE , p − 1) = 1.
2. Compute the signature parameters:

r ≡ α kE mod p,
s ≡ (x − d · r) kE−1 mod p − 1.

On the receiving side, the signature is verified as verk pub (x, (r, s)) using the public
key, the signature and the message.

Elgamal Signature Verification

1. Compute the value

t ≡ β r · rs mod p
2. The verification follows from:
!
≡ α x mod p =⇒ valid signature
t
̸≡ α x mod p =⇒ invalid signature
272 10 Digital Signatures

In short, the verifier accepts a signature (r, s) only if the relation β r · rs ≡ α x mod
p is satisfied. Otherwise, the verification fails. In order to make sense of the rather
arbitrary looking rules for computing the signature parameters r and s as well as the
verification, it is helpful to study the following proof.

Proof. We’ll prove the correctness of the Elgamal signature scheme. More specif-
ically, we show that the verification process yields a “true” statement if the verifier
uses the correct public key and the correct message, and if the signature parameters
(r, s) were chosen as specified. We start with the verification equation:

β r · rs ≡ (α d )r (α kE )s mod p
≡ α d r+kE s mod p.

We require that the signature is considered valid if this expression is identical to α x :

α x ≡ α d r+kE s mod p. (10.1)

According to Fermat’s Little Theorem, the relationship (10.1) holds if the exponents
on both sides of the expression are identical modulo p − 1:

x ≡ d r + kE s mod p − 1

from which the construction rule of the signature parameters s follows:

s ≡ (x − d · r)kE−1 mod p − 1.

(
⊓

The condition that gcd(kE , p − 1) = 1 is required since we have to invert the

ephemeral key modulo p − 1 when computing s.
Let’s look at an example with small numbers.

Example 10.2. Again, Bob wants to send a message to Alice. This time, it should
be signed with the Elgamal digital signature scheme. The signature and verification
process is as follows:
10.3 The Elgamal Digital Signature Scheme 273

Alice Bob
1. choose p = 29
2. choose α = 2
3. choose d = 12
4. β = α d ≡ 7 mod 29
(p,α ,β )=(29,2,7)
←−−−−−−−−−−−−
compute signature for message
x = 26:
choose kE = 5, note that
gcd(5, 28) = 1
r = α kE ≡ 25 ≡ 3 mod 29
s = (x − d r) kE−1 ≡ (−10) · 17 ≡
26 mod 28
(x,(r,s))=(26,(3,26))
←−−−−−−−−−−−−
verify:
t = β r · rs ≡ 73 · 326 ≡ 22 mod 29
α x ≡ 226 ≡ 22 mod 29
t ≡ α x mod 29 =⇒ valid signature

10.3.2 Computational Aspects

The key generation phase is identical to the set-up phase of Elgamal encryption,
which we introduced in Sect. 8.5.2. Because the security of the signature scheme
relies on the discrete logarithm problem, p needs to have the properties discussed
in Sect. 8.3.3. In particular, it should have a length of at least 1024 bits. The prime
can be generated using the prime-finding algorithms introduced in Sect 7.6. The
private key should be generated by a true random number generator. The public key
requires one exponentiation using the square-and-multiply algorithm.
The signature consists of the pair (r, s). Both have roughly the same bit length
as p, so that the total length of the package (x, (r, s)) is about three times as long
as only the message x. Computing r requires an exponentiation modulo p, which
can be achieved with the square-and-multiply algorithm. The main operation when
computing s is the inversion of kE . This can be done using the extended Euclidean
algorithm. A speed-up is possible through precomputing. The signer can generate
the ephemeral key kE and r in advance and store both values. When a message is to
be signed, they can be retrieved and used to compute s. The verifier performs two
exponentiations that are again computed with the square-and-multiply algorithm,
and one multiplication.