Page:Fips186-2-change1.pdf/14



This appendix is for informational purposes only and is not required to meet the standard.

The purpose of this appendix is to show that in the DSA, if M′ = M, r′ = r and s′ = s in the signature verification then v = r′. We need the following easy result.

LEMMA. Let p and q be primes so that q divides p - 1, h a positive integer less than p, and g = h$(p-1)/q$­ mod p. Then g$q$ mod p = 1, and if m mod q = n mod q, then g$m$ mod p = g$n$ mod p.

Proof: We have


 * g$q$ mod p = (h$(p-1)/q$ mod p)$q$ mod p


 * = h$(p-1)$ mod p


 * = 1

by Fermat's Little Theorem. Now let m mod q = n mod q, i.e., m = n + kq for some integer k. Then


 * g$m$ mod p = g$n+kq$ mod p


 * = (g$n$ g$kq$) mod p


 * = ((g$n$ mod p) (g$q$ mod p)$k$) mod p


 * = g$n$ mod p

since g$q$ mod p = 1. ∎

We are now ready to prove the main result.

THEOREM. If M′ = M, r′ = r, and s′ = s in the signature verification, then v = r′.

Proof: We have


 * w = (s′)$-1$ mod q = s$-1$ mod q


 * u1 = ((SHA-1(M′))w) mod q = ((SHA-1(M))w) mod q


 * u2 = ((r′)w) mod q = (rw) mod q.