 So the problem is that in real documents and RSA, the same signature can be applied to multiple documents. What we need is a signature unique to a specific document, and since Elgamel changes the key for every message, let's see if we can use Elgamel for digital signatures. So remember to set up an Elgamel system, Alice announces a public base A and a public modulus N. If Alice and Bob want to communicate, Alice chooses a private exponent X and sends P congruent to A to power X mod N to Bob. Bob chooses a private exponent Y and sends Q congruent to A to power Y mod N to Alice. Alice computes K congruent to Q to the X. Bob computes K congruent to P to the Y, and messages M can be encrypted as KM mod N. And again Alice can prove her identity by showing she knows X, and she could do this by announcing X, but this reveals too much information. And so Alice wants to do two things. Show that she knows X and tie the X to a specific message M. And here's an important consideration. Because Elgamel relies on destroying X and Y, the private exponents, after the communication, she can't rely on X or Y after signing the document. Had this lead to a rather odd situation, Alice needs to prove her identity by revealing that at one time she knew the value of X, even though she might not know it currently. And we might proceed as follows. Since X is a power, we might consider making the message M a power as well. And this suggests that A to the M will play a role in Alice's signature. Let's think about that a little more. Elgamel relies on Alice and Bob providing half keys to each other. And this suggests we can implement an Elgamel signature system by having Alice provide two half signatures, S1, S2, that combine to produce A to power M. Since Alice also has to establish her identity by showing she knows X, we might try to send S1 congruent to A to power X, and S2 congruent to A to power M minus X. That way, when we multiply S1 by S2, we get A to power M. Except this doesn't work. Since Alice already communicated A to power X, that's the half key she sent to Bob, then Eve can find A to power M minus X simply by solving A to power M congruent to S1, S2, mod N. So let's think about that a little more. Remember, the security of Elgamel relies on the difficulty of solving the DLP. Suppose Alice chooses a new value of K with S1 congruent to A to power K mod N. Alice could then use her unique knowledge of K and X, and the message M, to produce the second part of the half key. So we note that A to power M, we can write that as A to power K times A to power M minus K, but this doesn't incorporate Alice's other exponent X. So we might use A to power M congruent to A to power KX times A to power M minus KX. And we'll rearrange this a little bit. So keep in mind that the things that Bob knows, Bob knows A, the public base, and M, the message that Alice is supposed to sign. Unfortunately, Bob can't compute the right-hand side without knowing the value of X. And so even if Alice sends him S1, he can't verify her identity. Well, let's see what else we can do. How about instead of multiplying the two keys, suppose we exponentiate them? As before, we'll let S1 be equal to A to power K for some random K, and what we want is for A to power M to be congruent to S1 to power S2. Or rearranging, if we take S2 to be equal to K inverse M, then this expression, A to power K to power S2, becomes... And this gives us an S1, S2 that will verify the message. And now we have something that relies on Alice's unique knowledge of K, except it doesn't incorporate X. Well, let's try one more thing. So again, we'll let S1 be A to power K, and this time, let's just consider S1 to power S2 by itself. That's going to be A to power K to power S2, and S2 will want that to include K inverse. We'll want that to include M, and we'll want that to include X. And so we'll let S2 be K inverse times the quantity M minus S1X, where we'll see in a moment why we need that S1 there. And so that means this S1 to power S2, well, that's going to be A to power K times K inverse M minus S1X. Rearranging things a little bit, this is the same as A to power M times A to power minus S1X. But remember, P, Alice's half key, which she sent out to Bob, is equal to A to power X. And so this can be rewritten as A to power M, P to power minus S1. We'll rearrange that a little bit. Remember, this is S1 to power S2, congruent to A to power M, P to power minus S1, multiplying by P to power S1 on both sides gives us. And so this expression over here on the left is A to power M. Now remember, S1 and S2 rely on this number K that Alice chose, this number X that Alice chose to form her half key, and the message M. And so only Alice can provide S1 and S2 that make this true for this particular document. And this gives us the Algamol digital signature scheme. Alice has Algamol system with public base A, public modulus N, and Bob wants her to sign message M. So Alice picks X and evaluates P congruent to A to power X mod N, which is her half key for communication with Bob. Alice also picks a new K and evaluates S1 congruent to A to power K mod N. Alice then evaluates K inverse M minus S1X mod phi of N. And this has to be mod phi of N, because if you look at where S2 shows up, it's an exponent mod N. And remember, exponents mod N can be reduced mod phi of N. And so for document M, with encryption half key P, her signed document is going to be S1, S2. And to verify this, Bob checks first V congruent to P to power S1, S1 to power S2 mod N, and also A to power M mod N. If V is equal to W, then the message is genuine and legitimately signed.