Hi,
suppose we use an ElGamal-variant where we do not need to compute inverses
modulo the group order. Such variants exists and they are explained in the
Handbook of Cryptography, for instance, let
G: generator
a: secret value
A: public value G^a
and for the signature
k: secret random value
R: G^k
and
s = a h(m) + k g(R) mod n (*)
where h is a hash-function, n is the group order, and g is a (public)
mapping from the elements of the group to Z (the integers). The signature
is (s, R).
For the verification, check that
G^s = A^h(m) R^g(R)
holds.
Now suppose that the reduction mod n in (*) is omitted. Except that the
size of s would be larger, can anybody see whether this would be harmful?
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
