p-NEW digital signatures

[Matthew Ghio]

Kent Briggs <kbriggs at execpc.com> wrote:
>s is discarded and the signature is r and z.  The verification is:
>
>m=zy^r mod p
>
>This slows down the signing but speeds up the verification.  Here's the $64K
>question:  Does this compromise the signature's security?

Yes.  In this case a fake signature can be forged by picking a random r, and
then z can be calculated as:

z=my^(-r) mod p

No security at all.