Elgamal signature process

The Elgamal signature method is a method for digital signatures that is based on the mathematical problem of the discrete logarithm . It is to be distinguished from the Elgamal encryption method , whereby both methods were published in 1984 by Taher Elgamal in the same article.

A variant of this process was later standardized as the Digital Signature Algorithm and was widely used. The original method, on the other hand, is rarely used due to the relatively high computational effort and the large signatures (especially compared to DSA). For example, the ElGamal signature procedure was never part of SSL or TLS and was not implemented by OpenSSL or GnuTLS (DSA, however, was).

preparation

As with all methods with a discrete logarithm, one works in an Abelian group G with a generator g . In the original version of the method, this group is a subgroup of large prime order of the multiplicative group of the remainder class field modulo a prime number . However, it is just as possible to implement the method on the basis of another finite group. In particular, an elliptic curve can be used for this purpose . ${\ displaystyle q}$ ${\ displaystyle \ mathbb {Z} _ {p} ^ {*}}$${\ displaystyle p}$

In practice this means choosing a prime q such that p = 2q + 1 is also a prime (by randomly choosing q and testing p, repeat until one is found). Then all elements (except 1 and −1) of either the entire group (of order ), or the subgroup of order q , and one chooses one as g , which creates the subgroup (multiplicative), usually 2 or 3. ${\ displaystyle \ mathbb {Z} _ {p} ^ {*}}$${\ displaystyle 2q = p-1}$

To generate a key pair, a participant dials in (uniformly distributed at random) and calculates from it using modular exponentiation . A (or the triple (p, g, A) ) can then be made known as the subscriber's public key, while a is kept secret as the private key. ${\ displaystyle a \ in \ {2, \ ldots, p-2 \}}$${\ displaystyle A = g ^ {a} \, {\ bmod {\,}} p}$

• A random number k is determined so that and (so that exists and can be calculated using the extended Euclidean algorithm ).${\ displaystyle 0 <k <p-1}$${\ displaystyle \ operatorname {ggT} (k, p-1) = 1}$${\ displaystyle k ^ {- 1} {\ bmod {(}} p-1)}$
• One calculates .${\ displaystyle r \, \ equiv \, g ^ {k} {\ pmod {p}}}$
• One calculates ${\ displaystyle s \, \ equiv \, (H (m) -a \ cdot r) k ^ {- 1} {\ pmod {p-1}}}$
• If so, the steps are repeated.${\ displaystyle s = 0}$