17 Dec
2003
17 Dec
'03
11:17 p.m.
Kent Briggs <kbriggs@execpc.com> wrote:
s is discarded and the signature is r and z. The verification is:
m=zy^r mod p
This slows down the signing but speeds up the verification. Here's the $64K question: Does this compromise the signature's security?
Yes. In this case a fake signature can be forged by picking a random r, and then z can be calculated as: z=my^(-r) mod p No security at all.