In DSA, can we tell if signatures are for the same key pair?

fgrieu

7/17/24, 9:30 AM

We are given some distinct DSA signatures $(r_i,s_i)$ and the distinct hashes $H_i$ of the corresponding messages. The signatures and messages are non-maliciously made per the same known group parameters $(p,q,g)$ (say the 2048-bit MODP group with 256-bit prime order subgroup of RFC 5114), using either one of two distinct non-maliciously drawn public/private key pairs. We do not know these public keys, much less these private keys.

Can we tell whether two signatures pertain to the same public key?

Inspired by this question.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: In DSA, can we tell if signatures are for the same key pair?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.