The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms.
[1] The ElGamal signature algorithm is rarely used in practice.
A variant developed at the NSA and known as the Digital Signature Algorithm is much more widely used.
The ElGamal signature scheme is a digital signature scheme based on the algebraic properties of modular exponentiation, together with the discrete logarithm problem.
The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer's corresponding public key.
The first phase is a choice of algorithm parameters which may be shared between different users of the system, while the second phase computes a single key pair for one user.
Given a set of parameters, the second phase computes the key pair for a single user:
to the receiver via a reliable, but not necessarily secret, mechanism.
, A third party can forge signatures either by finding the signer's secret key x or by finding collisions in the hash function
However, as of 2011 no tight reduction to a computational hardness assumption is known.
The signer must be careful to choose a different k uniformly at random for each signature and to be certain that k, or even partial information about k, is not leaked.
In particular, if two messages are sent using the same value of k and the same key, then an attacker can compute x directly.
[1] The original paper[1] did not include a hash function as a system parameter.
This enables an attack called existential forgery, as described in section IV of the paper.
Pointcheval and Stern generalized that case and described two levels of forgeries:[3]