p-NEW digital signatures
Matthew Ghio
ghio at c2.org
Fri Jan 12 11:55:54 PST 1996
Kent Briggs <kbriggs at execpc.com> wrote:
>s is discarded and the signature is r and z. The verification is:
>
>m=zy^r mod p
>
>This slows down the signing but speeds up the verification. Here's the $64K
>question: Does this compromise the signature's security?
Yes. In this case a fake signature can be forged by picking a random r, and
then z can be calculated as:
z=my^(-r) mod p
No security at all.
More information about the cypherpunks-legacy
mailing list