Re: Compatibility of 2.3 ElGamal digest signatures with later versions

[Wei Dai]

Unfortunately, the old ElGamal signature scheme was non-standard (it was implemented before a suitable standard was available), and hasn't been included in Crypto++ since version 3.0. You may have to port the old ElGamal signature code yourself. ----- Original Message ----- From: Bill Shanahan To: cryptopp-list@eskimo.com Sent: Wednesday, April 12, 2006 12:07 PM Subject: Compatibility of 2.3 ElGamal digest signatures with later versions Hi,   I have the belated task of upgrading our crypto++ from 2.3, which it has been for years.  Currently I am stuck because the NR verifier won’t verify some messages that were signed by crypt++ 2.3.  In particular, using crypto++ 2.3 and 4.2,                                       unsigned char testNr[ 31 ] = "\x0B\xB1\x5B\x75\xED\x14\x3D\x92\x26\x37\xCA\x89\xD7\x8E\x4B\x60\xC7\x60\xA7\x1C\x7A\x24\xBD\x51\x29\x96\x1A\xC2\x9E\x34";                                     unsigned char testSha[ CryptoPP::SHA::DIGESTSIZE + 1 ] = "\xEE\x03\x25\x47\xFF\xBA\x68\x83\xC4\xA2\x12\xE5\x14\xBA\xE5\x45\x61\x3F\x2A\xE4";                                       Integer P23("7019381798617006716835813087296001796150962106074841238925864520536688227509092240796275367863849441555369619874101707276200068568845330657310191485021893");                                     Integer Q23("695889950734455956990816637440886403");                                     Integer G23("6235103830417276907842475920843204847598558146071605570728952034730450371342891060733864638876293941592533109510797887080772668269563778561995271156429372");                                     Integer Y23("6003691331075818079980163077354132821700005903596552432667451226242540519520492754527257404731517551898937294150293511876361452905389869989041543063633316");                                       CryptoPP::Integer P42("7019381798617006716835813087296001796150962106074841238925864520536688227509092240796275367863849441555369619874101707276200068568845330657310191485021893");                                     CryptoPP::Integer Q42("695889950734455956990816637440886403");                                     CryptoPP::Integer G42("6235103830417276907842475920843204847598558146071605570728952034730450371342891060733864638876293941592533109510797887080772668269563778561995271156429372");                                     CryptoPP::Integer Y42("31275952841998020538913107300713992");                                       ElGamalSigPublicKey testpublicKey23( P23, Q23, G23, Y23 );                                     CryptoPP::NRDigestVerifier testpublicKey42( P42, Q42, G42, Y42 );                                       bool b42testVerified = testpublicKey42.VerifyDigest( (const byte*)testSha, CryptoPP::SHA::DIGESTSIZE, (const byte*)testNr );                                     bool b23testVerified = testpublicKey23.Verify( (const byte*)testSha, CryptoPP::SHA::DIGESTSIZE, (const byte*)testNr );   The testpublicKey23.Verify() succeeds, but the testpublicKey42.VerifyDigest() fails, even though they are verifying the same signature of the same hash, and were constructed with identical constants.  (We use the Integers to serialize public keys (either to files or for a stream to some network destination) and reconstruct them later.)  If I can’t get a later version of crypto to verify the signatures of byte streams signed by crypto 2.3, then I don’t think I’ll be able to effect the upgrade.   I also tried with 5.2.1:                                       unsigned char testNr[ 31 ] = "\x0B\xB1\x5B\x75\xED\x14\x3D\x92\x26\x37\xCA\x89\xD7\x8E\x4B\x60\xC7\x60\xA7\x1C\x7A\x24\xBD\x51\x29\x96\x1A\xC2\x9E\x34";                                     unsigned char testSha[ CryptoPP::SHA::DIGESTSIZE + 1 ] = "\xEE\x03\x25\x47\xFF\xBA\x68\x83\xC4\xA2\x12\xE5\x14\xBA\xE5\x45\x61\x3F\x2A\xE4";                                       CryptoPP::Integer P52("7019381798617006716835813087296001796150962106074841238925864520536688227509092240796275367863849441555369619874101707276200068568845330657310191485021893");                                     CryptoPP::Integer Q52("695889950734455956990816637440886403");                                     CryptoPP::Integer G52("6235103830417276907842475920843204847598558146071605570728952034730450371342891060733864638876293941592533109510797887080772668269563778561995271156429372");                                     CryptoPP::Integer Y52("31275952841998020538913107300713992");                                       NR<DummyHash>::Verifier testpublicKey52( P52, Q52, G52, Y52 );                                       bool b52testVerified = testpublicKey52.VerifyMessage( (const byte*)testSha, CryptoPP::SHA::DIGESTSIZE, (const byte*)testNr, 30 );   (In “real life” I would not use a dummy hash, I would use NR<SHA> on the original data instead, but by using a dummy hash I eliminate SHA from being a factor in the problem.)   Is there something I am doing wrong, or has there been a standards change?  How can I get 5.2 to accept 2.3 signatures?