In the above mentioned paper we have described a variant of DSA set in a subgroup of Ζ~*-n, where n= pq is the product of two large primes which are kept secret. As is pointed out in Mathematical Reviews (MR2480691) there is a flaw in the description since the verifier must know the order of this subgroup in order to compute S~-1-p and S~-1-q required for the verification procedure. We can correct this point as follows.The signer computes S~-1-p mod πp and S~-1-q modπq and the signature of a message x is {R, S~-1-p, S~-1-q) instead of (R, Sp Sq). The verifier can now perform the verification and the security analysis still stands.
展开▼
