Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Alice uses the El Gamal signature scheme in F*_p for some large prime p with a p

ID: 2977735 • Letter: A

Question

Alice uses the El Gamal signature scheme in F*_p for some large prime p with a primitive root g (mod p). Alice has secret key a which is an element of Z*_{p-1} and public keys b congruent g^a (mod p). She does not hash her message and messages are elements in Z_{p-1}. Her signature to a message m (element of {0.1}*) is the pair (r,s) where r is congruent to g^k (mod p), 1<= r <= p-1, with k an element of Z*_{p-1} randomly generated and s is congruent to k^{-1}(m-kr) (mod p-1). The signature (r,s) to a message m is accepted if and only if b^r r^s is congruent to g^m (mod p). a) Suppose an attacker selects any pair of integers (u,v) with gcd(v,p-1) = 1 and computes r congruent to g^u b^v (mod p), s congruent to -rv^{-1} (mod p-1), m congruent to su (mod p-1). Prove that anyone accepts the signature (r,s) to the "message" m as valid and generated by Alice, so the attacker has committed existential forgery against Alice. ; b) Now suppose a pre-image resistant hash function h is used. Explain why the attack is no longer feasible.

Explanation / Answer

follow this It is set up with four values: a large prime , a prime which is a factor of , a primitive root of , and a value defined by . For security, is recommended to be at least 154 digits, and at least 48 digits. Alice, the sender, chooses as her private key any value and calculates as her public key. This is secure, by the discrete logarithm problem. The public key consists of the values and the private key is the value . Given a message , a signature is computed as follows: Alice chooses at random for which . She then computes: and the two values are the signature of the message . We are assuming here that ; as in general most messages will be much larger, it is customary to sign not the message itself, but a cryptographic hash of the message, which will be a string of some fixed length (and shorter than ). To verify the signature, Bob (the receiver) calculates the following values: If then he accepts the signature. To see why this works, note that from the definition of , we can write and by multiplying through by we obtain: This last equation can be written . Now we have This algorithm has the advantage that its security is of order length of , but the signature values are much smaller

Related Questions

Alice decides to use RSA with the public key N = 1889570071. In order to guard a
Question #3849705
Alice discovers a reflected XSS flaw in her web application. Which of the follow
Question #3745582
Alice each push a puck to have them collide on an air table. In a particular sys
Question #1476270
Alice enjoys consuming goods x and y. Where (x,y) is the consumption bundle and
Question #1144811
Alice entered into a written agreement with Moran, whereby Moran agreed to remod
Question #419466
Alice forgot the password to access to her bank account. She presses the button
Question #3039987
Alice goes to the Dominican Republic for a vacation. She has 20 dresses, 10 pair
Question #2922457
Alice has 5 coins. Two of the coins are double-headed (both sides are heads). On
Question #3046186
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Alice typically mows her own lawn whereas her neighbor pays to have her yard mow
Next
Alice v. Looking Glass Corporation When Looking Glass Corporation decided to off

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.