To prove the validity of the signature we must see that the tuple *(R,s)* actually came from the private key *x* in particular *s* was derived as *s=r+cx*. Obviously we should not possess *x* (which is the reason why we need this verification equation) so

- Looking at
*g*we relize that we know^{s}= RX^{c}*(R,s), X*and*c*. (Since*c = H(X,R,m)*and the public key*X*is obiously public and known. As the generator*g*is also know this means we can actually compute both sides of the equation. - Since
*s=r+cx*we know that*g*^{s}= g^{r+cx} - Since we do these calculations in a
**cyclic**group of**prime**we can apply the following laws: g^{a + b}= g^{a}g^{b}and g^{ab}= (g^{a})^{b}(As far as I understand this is the reason why the group needs to be cyclic and of order) - Thus
*g*^{s}= g^{r+cx}= g^{r}g^{cx} - Recalling
*R = g*and entering to the equation from 4. we get^{r}*g*^{s}=R g^{cx} - Recalling the other law from 3. we have
*g*^{s}=R g^{cx}= R(g^{x})^{c}= RX^{c}

This is exactly the equation that was supposed to be shown.

Note the interesting fact that as mentioned in 1. the data to verify the equation is known but producing the data can only work if *x* and *r* are known. That is why the owner of *x* can produce the signature and others can verify it.