# Re: Shortcut digital signature verification failure

```Nomen Nescio  wrote:
```
Great questions!  The explanation is that I botched the description
of Bernstein's trick.  Let me try again and see if I can get it right
this time.

A signature on message m is a tuple (h,s,k) such that s^3 = kn + h, h =
H(m), and 0 <= h,s,k < n.

A reasonably fast way to check the validity of a claimed signature
is to apply the hash, verify h = H(m), then compute s^3 mod n using
modular arithmetic and check that s^3 = h (mod n).  This requires a few
multiplications and reductions modulo n.

A faster way to verify the validity of a claimed signature is to secretly
pick a random 31-bit prime p.  We will verify that h = H(m) and s^3 - kn -
h = 0 (mod p).  Note that the latter can be tested quickly by computing
s mod p, s^3 mod p, k mod p, n mod p, and h mod p, and then doing a few
subtractions mod p.

We can see that the second method is faster than the first method:
it replaces a few operations modulo n by a few operations modulo p.
Since p is much smaller than n, this is a win.

Did I get it right this time?  Is it clearer?  If there are any
errors above, I take full responsibility for them.  The authoritative
description of Bernstein's trick can be found in his paper (cited in my
previous email).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
```