The company claims that this hash function is collision-resistant. Show that the
ID: 662572 • Letter: T
Question
The company claims that this hash function is collision-resistant. Show that they are wrong. Namely, present an algorithm C that given any p, g1, G2 satisfy the above conditions, very easily (formally, in time polynomial in |p| out puts such that and. Briefly justify your answer. Hint: Recalling the formula for calculating the Legendre symbol may be useful. Problem 2.6, 10 points. In the video from USENIX conference we watched at the end of the lectures we learned that the DSA signature becomes completely insecure if the signer uses the same randomness for signing. Show that the same is true for ElGamal signatures, even with hashes. Namely, review the ElGamal signature with hashes from the lecture slides, and show that an attacker can recover the secret key the signer uses the same randomness for signing. I.e., the signer picks the randomness once for the first signature, but later reuses it for other signatures.Explanation / Answer
one of the most best and popular signature algorithm is Elgamal signature algorithm. However is very hard and good discree signature algoruthm.
But since past few years several cases are noticed which states that Elgamal signature algorithm is not secure.
Ok let us discuss about this:
Generally for Elgamal algorithm along with private we have to give few more parameters (p,?,y) as a public key.
Some cryptanlysis analysis shows that if generator ? and the modulus P by checking different relations, it is possible to steal
Elgamal signature algorithm for ant arbitary message. It becomes insecure since ? is divided with (p-1) . So selecting ? = 2 is
not a correct option.we can prove that, if the modular inverse of the generator
? divides p ? 1, then it is possible to break the system. If we take example,
? = p + 1
-------
2
as a generator, is not recommended