Interesting quote from an old Matt Green blogpost:
"You might find it a bit strange that I’m mentioning DSA in a discussion about provable security. This is mainly because, unlike the Elgamal signature on which DSA is based, the DSA standard has no security proof whatsoever.
There’s no really defensible reason for this. As best I can tell, NIST took a look at the Elgamal signature and thought it was cute, but the signatures were a little bit too long. ..."
" ... So they took some scissors to it and produced something that looks basically the same, but doesn’t have the very nice reduction to the Discrete Logarithm assumption that Elgamal did.
This kind of behavior is par for the course, and honestly it gets me a little down on government standards bodies.
from https://blog.cryptographyengineering.com/2011/11/02/what-is-random-oracle-model-and-why/ (you should read the whole series really, there are 5 articles).
Casts extra light on what I said at the end of https://joinmarket.me/blog/blog/liars-cheats-scammers-and-the-schnorr-signature/
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!