The El Gamal signature scheme is, as you might have guessed, used to compute digital signatures. The algorithm, as seems to be universally true of public key schemes, is named after its inventor. As with Diffie-Hellman, the algorithm relies on the difficulty of the discrete logarithm problem for its security. Also, there is a variant of El Gamal that can also be used for encryption, but here we just present the signature scheme.

The algorithm requires a prime, p, and a generator g. A user chooses a random private key x, and computes y = g^x mod p.

The public key is (y,p,g).

The private key is x.

To sign a message M, choose a random number k such that k has no factor in common with p - 1 and compute a = g^k mod p. Then find a value s that satisfies M = xa + ks mod (p - 1) (the extended Euclidean algorithm will solve this).

The signature is the pair (a,s).

The signature is verified by computing y^aa^s mod p = g ^M mod p.