The security of the ElGamal digital signature scheme against selective forgery relies on the difficulty of solving the congruence g H(m) ≡ y r r s (mod p) for r and s, given m, g, y, and p but not knowing the discrete logarithm of y modulo p to the base g. (We assume for the moment the security of the hash function H(m).) Similarly, the security of a certain variation of this scheme given in, e.g., [11, Note 11.71], relies on the difficulty of solving (1) g H(m) ≡ y s r r (mod p). It is generally expected that the best way to solve either of these congruences is to calculate the discrete logarithm of y, but this is not known to be true. In particular, another possible option would be to choose s arbitrarily and solve the relevant equation for r. In the case of (1), this boils down to solving equations of the form x x ≡ c (mod p). We will refer to these equations as “self-power equations”, and we will call the map x ↦ → x x modulo p, or modulo p e, the “self-power map”. This map has been studied in various forms in [4–10, 12]. In this work we will investigate the number of fixed points of the map, i.e., solutions to (2) x x ≡ x (mod p) and two-cycles, or solutions to (3) h h ≡ a (mod p) and a a ≡ h (mod p). We will start by considering F (p), the number of solutions to (2) such that 1 ≤ x ≤ p − 1, which lets us reduce the equation to x x−1 ≡ 1 (mod p). Then we just need to consider the relationship between the order of x and of x x−1 modulo p and we can proceed as in  or  to prove
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.