ElGamal Signature scheme

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher ElGamal in 1984.[1]

The ElGamal signature algorithm described in this article is rarely used in practice. A variant developed at NSA and known as the Digital Signature Algorithm is much more widely used. There are several other variants.[2] The ElGamal signature scheme must not be confused with ElGamal encryption which was also invented by Taher ElGamal.

The ElGamal signature scheme allows a third-party to confirm the authenticity of a message sent over an insecure channel.

System parameters

These system parameters may be shared between users.

Key generation

  • Randomly choose a secret key x with 1 < x < p − 1.
  • Compute y = g x mod p.
  • The public key is (pgy).
  • The secret key is x.

These steps are performed once by the signer.

Signature generation

To sign a message m the signer performs the following steps.

  • Choose a random k such that 0 < k < p − 1 and gcd(kp − 1) = 1.
  • Compute r \, \equiv \, g^k \pmod p.
  • Compute s \, \equiv \, (H(m)-x r)k^{-1} \pmod{p-1}.
  • If s=0 start over again.

Then the pair (r,s) is the digital signature of m. The signer repeats these steps for every signature.


A signature (r,s) of a message m is verified as follows.

  • 0 and 0.
  • g^{H(m)}\pmod p \, \equiv \, y^r r^s \pmod p.

The verifier accepts a signature if all conditions are satisfied and rejects it otherwise.


The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier.

The signature generation implies

H(m) \, \equiv \, x r + s k \pmod{p-1}.

Hence Fermat's little theorem implies

\begin{align} g^{H(m)} & \equiv g^{xr} g^{ks} \\ & \equiv (g^{x})^r (g^{k})^s \\ & \equiv (y)^r (r)^s \pmod p.\\ \end{align}


A third party can forge signatures either by finding the signer's secret key x or by finding collisions in the hash function H(m) \equiv H(M) \pmod{p-1}. Both problems are believed to be difficult. However, as of 2011 no tight reduction to a computational hardness assumption is known.

The signer must be careful to choose a different k uniformly at random for each signature and to be certain that k, or even partial information about k, is not leaked. Otherwise, an attacker may be able to deduce the secret key x with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of k and the same key, then an attacker can compute x directly.[1]

See also


This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.