Insecure primitive elements in an ElGamal signature protocol

TL;DR

This paper demonstrates that the ElGamal signature scheme is vulnerable if the generator's powers are smooth and divide p-1, extending Bleichenbacher's 1996 attack and enabling forgery without the secret key.

Contribution

It introduces a new vulnerability condition for ElGamal signatures based on smoothness of certain powers, extending prior cryptanalysis.

Findings

Identifies a specific condition under which ElGamal signatures can be forged.

Extends Bleichenbacher's attack to a broader class of parameters.

Shows the practical implications of smoothness in signature security.

Abstract

Consider the classical ElGamal digital signature scheme based on the modular relation $\alpha^m\equiv y^r\, r^s\ [p]$. In this work, we prove that if we can compute a natural integer $i$ such that $\alpha^i\ mod\ p$ is smooth and divides $p-1$, then it is possible to sign any given document without knowing the secret key. Therefore we extend and reinforce Bleichenbacher's attack presented at Eurocrypt'96.