The efficient digital signature technique with message recovery based on elgamal


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The efficient digital signature technique with message recovery based on elgamal

  1. 1. INTERNATIONALComputer Engineering and Technology ENGINEERING International Journal of JOURNAL OF COMPUTER (IJCET), ISSN 0976- 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME & TECHNOLOGY (IJCET)ISSN 0976 – 6367(Print)ISSN 0976 – 6375(Online) IJCETVolume 4, Issue 2, March – April (2013), pp. 189-197© IAEME: Impact Factor (2013): 6.1302 (Calculated by GISI) © THE EFFICIENT DIGITAL SIGNATURE TECHNIQUE WITH MESSAGE RECOVERY BASED ON ELGAMAL Saima Salmaz1, Ram Lal2 1 Department of computer science and engineering, GNIT, Greater Noida, India 2 Computer Services Center, IIT Delhi, India ABSTRACT The digital signature scheme allows authenticating documents with non-repudiation and data integrity. The problem of ElGamal digital signature scheme is that, the message recovery is not provided and its security is constantly being challenged. The security disadvantage of the original ElGamal algorithm is that, it has only one random number. In order to improve its security, the proposed scheme adds one more random number. The security of the proposed signature scheme is the same with the ElGamal signature scheme which is based on the difficult computable nature of discrete logarithm over finite fields. In this paper, the algorithm is proposed to enhance the security and usage of more random number to make algorithm more complicated, which can also make the link between the random number and the key more complicated. The attacks like forgery and parameter reduction are also not applicable on it. The length of the message is independent, so it is suitable for long messages. KEYWORDS Public key cryptography, ElGamal signature scheme, Discrete logarithm problem, Blind digital signature. 1. INTRODUCTION A digital signature scheme with message recovery is also known as blind signature scheme. The scheme in which original message is not required at the time of verification of the document. The original message is appended to the signature and recovered at the time of message recovery process and the recovered message is then used to verify the documents [1]. The first concept of digital signature with message recovery was proposed in 1978 [2] 189
  2. 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEMEand based on that in the past years, many approaches are given that are on discrete logarithmproblems with the concept of message recovery in digital signature techniques [3-5], [21].The Schnorr and DSA are the methods based on ElGamal digital signature technique [22].All the public key algorithms are practically slower than the symmetric key algorithms at thetime of encryption and decryption [6-8]. There are many digital signature schemes that do notprovide message recovery technique such as MD5, SHA, SHA-152 etc. But messagerecovery techniques have many advantages such as for any plain-text it will produce differentdigital signatures every time when we run its algorithm because it uses randomly chosenparameters to generate the digital signatures. The size and length of the signatures depend onthe plain-text in the case of message recovery, but fixed in the case of digital signatureschemes without message recovery [9-13]. There are many signatures schemes that have beenimproved which are based on ElGamal digital signature scheme. The message recovery andverification features are added in those schemes [14-16]. The Nyberg and Rueppel hadproposed ElGamal signature scheme with message recovery in 1993 [17] and after this manyschemes were given [14], [18], [19], [20]. Our purpose is to improve the functionality ofElGamal digital signature by adding the property of message recovery and increase security.The proposed technique is based on discrete logarithmic problem and its properties.2. LITERATURE REVIEW The main problem with the ElGamal digital signature scheme was message recovery.The original ElGamal scheme does not contain message recovery techniques and someattacks are possible on it [22]. Nyberg and Rueppel [4] introduced the signatures schemesbased on DLP with message recovery which has been adopted in the recent IEEE standards.In the year 1999, M Abe, T Okamoto [18] also explained the digital signature techniques withmessage recovery based on DLP; they explained the new method of message recovery. OmarKhadir [22] provides the details on the possible attacks on the security of ElGamal digitalsignature. Chen, Shen & Lv [21] introduced the new modified scheme which is the variant ofElGamal and existing attacks are impossible on it. Then they improved the scheme accordingto the existing problems of ElGamal digital signature scheme, and proposed an implicitElGamal type digital signature scheme with the function of message recovery. The newimplicit signature scheme with the function of message recovery was formed, after havingtried to hid part of signature message and refining forthcoming implicit type signaturescheme. They also analyses the safety of the refined scheme, and their results indicate that thenew scheme is better than the old one [21].Signature schemes with message recovery providethe feature that the message is recoverable from the signature and hence does not need to betransmitted separately. Recently a number of ID-based signatures schemes with messagerecovery have been proposed. Kalkan, Kaya & Selcuk [20] introduced the generalized ID-based ElGamal signatures with message recovery. Their previously proposed ID-basedsignature schemes with message recovery turn out to be special instances of their generalizedscheme. They also obtain several new ID-based signatures with message recovery from thisgeneralized scheme which have not been explored before [20]. There have been severalapproaches in the past to obtain signature schemes with message recovery based on thediscrete logarithm problem. Horster, Michels & Petersen [23] generalizes this approach into aMeta-Message recovery scheme by applying the ideas of the Meta-ElGamal signaturescheme. They also provide a Meta-blind signature schemes which have been developed fromthe ElGamal based blind signature scheme. From their Meta schemes we can get various 190
  3. 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEMEvariants from which some are more efficient then the already known ones. They alsorecommended this for practical use. In their paper, they have given interesting applications ofthe presented Meta-schemes like authentic encryption schemes, key distribution protocolsand authentication schemes [23].With the wide application of ElGamal digital signaturescheme, its security is usually being challenged and the problem becomes increasinglyserious. In order to resolve the security decline, caused by the ElGamal signature schemewhich uses only one random number, a modified scheme was proposed by Chen, Shen, Lvand Lin [24]. They add a random number to the scheme in order to increase the difficulty ofdeciphering key, and therefore improve the security correspondingly. As same as theElGamal signature scheme, the improved signature scheme is also based on the difficulty indiscrete logarithm finite field. Eventually the improved signature scheme was analyzed onsecurity and time complexity. The analysis shows that the security of the improved signaturescheme is higher than original one, and has a relatively low time complexity [24].A digitalsignature scheme allows one to sign an electronic message and later the produced signaturecan be validated by the owner of the message or by any verifier. Most of the existing digitalsignature schemes were developed based on the use of hash function and massageredundancy to resist against forgery attack. Mohanty & Majhi [25] proposed a signaturescheme with message recovery and without using one way hash function which is secure andpractical. They also showed that the proposed scheme is secure against the parameterreduction attack and forgery attack. Security of their scheme is based on the complexity ofsolving the discrete logarithm problem and integer factorization. Their proposed scheme doesnot use message redundancy and is also suitable to provide signature on long messages [25].ElGamal public-key cryptosystem is an international public-key cryptosystem, and also is amore effective and secure algorithms used to secret communication networks and digitalsignature. It is the foundation of many special-purpose digital signatures. But ElGamal digitalsignature algorithm exist a security flaw that random numbers cannot repeated usage. Jun,Ying and Dong [26] puts forward an improving method aimed at the security flaw, and makessecurity analysis to the improved algorithm, and proves its correctness in their paper[26].3. ELGAMAL DIGITAL SIGNATURE ALGORITHM The parameters on which the system is based are, the large prime number p andprimitive root g of mod p (g the generator of Zp*). At Bob’s side: signer randomly generatesan integer x (such that 1 < x< p -1), x is private key. Public key calculated by the Bob isy =g x mod p (3.1)y is a public key.For plain text m, where 1≤m≤p-1, Bob selects arbitrary an integer K, such that GCD (K, p-1)=1.Signature generation: Bob seeks signature text (R, S)R = g K mod p (3.2)And m = x R + KS mod (p -1) orS = K-1 1(m – x R) mod (p -1) (3.3) 191
  4. 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEMESignature verification: Alice authenticates the signature (R, S)g m ≡ y R RS mod p (3.4). If the result of (3.4) is correct, and (R, S) is genuine signature of m, otherwise it isillegal. For ElGamal digital signature, because it is based on discrete logarithm problem, ifsolving the discrete logarithm, we can find private key x of Bob by y and g, when p is not avery large. As the k non-reusable, in practice, we must remember the random number hasbeen used, since the signature is used to compare later. In the network information soadvanced today, no doubt that the ElGamal digital signature algorithm is a fatal defect [26].To reduce this defect, we can introduce more random numbers to increase the link betweenthe random number and signature. And this random number and the original position and roleof the private key are same. Private keys from one to two, the introduction of random numberhas a direct connection with signature, and does not change the overall structure of theoriginal algorithm. According to the methods analysis to the attacking on random number, it was foundthat if the random number is insecure then, hacker can easily calculate the value of randomnumbers or the value of the key. It is resulted from the analysis that it is easier to hack therandom number than hack the key. It can be seen that there is no essential difference betweenthe random number k and the private key x.4. IMPROVED DIGITAL SIGNATURE ALGORITHM The difference between the proposed algorithm and the original ElGamal digitalsignature algorithm is mainly reflected in increasing more random numbers and unknownvalues. By increasing more equations like (3.2) & (3.3), the original algorithm will becomecomplicated and more difficult to decipher. .The proposed algorithm is as follow:Step 1: A large prime number p is produced by system, g is a generator of Zp*, x (1≤x≤p-1).is the signers private key, the corresponding signature public key Y can be calculated asY = g x mod p. (4.1)This is opened to the public to verify digital signature. Now, public key is [p, g, y] andprivate key is [x].Step 2: Two different random numbers K and t are randomly selected by system where t,k and x must be co-prime (and 1≤ t, K ≤p-1).Step 3: Calculate digital signature of the message M where 1≤M≤p-1.R = g K mod p (4.2)S = (K + Rx) mod p-1 (4.3)V = M * g–t mod p (4.4)Z = (t +SV) mod p-1 (4.5)Now, digital signature is [R, V, Z]Step 4: The signature of plain text M is [R, V, Z] is sent to the corresponding customers bysystem. The customers use the following equation to verify the correctness of plaintext Mdigital signatures. 192
  5. 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME1. Recovery of the message MM = V *g Z * R–V * Y–RV mod p (4.6)Proof of Message recovery:M = V * g Z * R–V * Y–RV= M * g–t g Z * R–V Y–RV by (4.4)= M * g–t g Z * g–KV Y–RV by (4.2)= M * g–t g Z * g–KV * g–x R V by (4.1)= M * g–t g Z * g–V(K + Rx)= M * g–t g Z * g–V(S) by (4.3)= M * g–t g t +SV * g–V(S) by (4.4)= M * g t + SV–VS–t= M * g 0 = M original message2. Verification of Digital signatureV1 = M V mod p (4.7)V2 = (V (g Z (R * Y R) –V)) V mod p (4.8)If V1 = V2, then signature is genuine and original message is recovered.If V1 ≠ V2, then signature is not genuine and original message is not recovered.Proof of verification equation:V2 = (V (g Z (R * YR)–V)) V mod p= VV * (g Z (R * YR)–V) V mod p= M V * g –t V * (g Z (R * YR)–V) V mod p by (4.4)= M V * g –t V * (g Z (R–V * Y–V R )) V mod p= M V * g –t V * (g Z (g–kV * g–x V R)) V mod p by (4.1) & (4.2)= M V * g –t V * (g t +SV * g–kV * g–x V R) V mod p by (4.5)= M V * g –t V * (g t +SV * g –V (K + Rx)) V mod p= M V * g –t V * (g t +SV * g –V(S)) V mod p by (4.3)= M V * g –t V * (g t +SV–VS) V mod p= M V * g –t V * (g t)V mod p= M V * g0 mod p= M V mod p= V1 In the above-mentioned proposed ElGamal digital signature algorithm, the samemessage M corresponded to the different digital signature (R, V, Z) for the different randomnumber K, t. And they can be all verified through the equations above and improves theuncertainty of the signature, because k & t are co-prime and in equations t, S, K and x areunknown values. This helps in improving the security. 193
  6. 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME Start 1. Choose a large prime number p 2. Select Primitive root modulo g of p 3. A private key x where 1≤x≤p Calculate a key y y=g x mod p. Private Key [x] Public Key [p, g, y] Signature Generation Calculate digital signature of message M, where 1≤M≤p Digital Signature [R, V, M] Message Recovery Choose random numbers K & t where t, K and x must be co-prime (and 1≤ t, K ≤p-1). R = g K mod p M = V *g Z *R –V *Y –R V mod p S = (K + Rx) mod p-1 V = M * g –t mod p Signature Verification Z = t + SV mod p-1 V1 = M V mod p V2 = (V (g Z (R* YR) –V)) V mod p If V1=V2 If V1≠V2 Signature is genuine and Signature is not genuine original message is And original message is not recovered. recovered. Figure (1) Flow chart of proposed Digital signature technique5. RESULT AND DISCUSSION The proposed algorithm is executed on matlab and based on the outcomes the resulthas been discussed. Our proposed scheme completely withstand with the message recoverytechnique that is an improvement to the previously proposed digital signature schemes.Discrete logarithmic problem plays a very important role in selection of keys and generationof digital signature. As compared to previously proposed schemes based on ElGamal we haveused two random numbers (t & K) to make the algorithm more secure. The values of t, x & Kare used to generate the digital signature and are unknown and random. S is one intermediate 194
  7. 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEMEvalue that is unknown by the verifier and dependent on t and x. The proposed scheme recovermessage from the signature itself otherwise it will give an error. The message “The quickbrown fox jumps over the lazy dog” is used to generate the digital signature for large primenumbers and the result has been compared on the basis of execution time and security ofalgorithm. Prime Primitive modulo Key selections Message Signature number generation (public Key) recovery Verification (sec) P g y (sec) (sec) 11483 78.5278 (11483,1432,10375) 1.5414 0.0030 19913 208.6068 (19913, 939, 17743) 10.0790 0.0057 1999 5.6546 (1999, 1761, 782) 0.0910 0.0011 As we can see in the above table, if we take very large prime number then it isdifficult to compute discrete logarithm problem over Zp. The primitive modulo generationtake more time for larger value of prime number p but message recovery and verificationtakes nearly the same time.5.1 Attack to recovery of private key of signer It is almost difficult to compute the discrete logarithm problem over Zp when p is alarge prime number and k & t are two random and unknown numbers. Therefore, it isdifficult to solve three unknown values S, K & x in equation 4.3 and to recover private key ofsigner.5.2 Forgery Attack It is difficult to find x because S, k and x all are unknown in equation 4.3. For givenV, t is unknown and difficult to compute Zp (as p is a large prime number). If V and Z bothare known then also it is difficult to solve the equation 4.5 because there are two unknownvalues t and S in equation 4.5. Hence our scheme is secure.5.3 Suitable for long messages This scheme is suitable for long message because message m is not in exponent as inKang et al.’s scheme, therefore if message is large then also is not impractical and verydifficult to solve this equation 4.4.6. CONCLUSION The signature scheme proposed above can recover message from the signature itselfand parameter reduction attack is not applicable on it. The scheme fully supports the messagerecovery feature, as message can easily recovered from the signature, so there is no need tosend message along with the signature. It is also proved in Section 4 that the proposedscheme is more secure due to the use of more random values (K & t) and S is also an implicitvalue. Key generation use safe and large primes. We can also use this for signing largedocuments such as files etc. Hence the proposed signature scheme can be applicable in areaslike e-banking, e-commerce, and e-voting. 195
  8. 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEMEACKNOWLEDGEMENTS I acknowledge my sincere and deep indebtedness to my mentor for his valuableguidance, keen interest and encouragement throughout this work. I also acknowledge mysincere gratitude to authorities of IIT Delhi and other technical staff of Computer servicescenter for their help and assistance. I am also thankful to my fellow faculty research membersfor their cooperation.REFERENCES[1] An Efficient ID-based Digital Signature with Message Recovery Based on Pairing”, Raylin Tso and Chunxiang Gu and Takeshi Okamoto and Eiji Okamoto, 2007, ISBN: 3-540-76968-4 978-3-540-76968-2.[2] R. L. Rivest, A. Shamir, L. Adleman “A method for obtaining digital signatures and public-key cryptosystems”, Comm. of the ACM, Vol. 21, (1978), S. 120-126.[3] K. Nyberg, R. Rueppel, “A new signature scheme based on the DSA giving message recovery”, Proc. 1st ACM Conference on computer and Communications Security, Fairfax, Virginia, Nov, 3-3.,(1993), 4 pages.[4] K. Nyberg, R. Rueppel, "Message recovery for signature schemes based on the discrete logarithmic problem “, Pre-proceedings of Eurocrypt ’94, University of Perugia, Italy, (1994), pp. 175-190.[5] J. M. Piveteau, “New signature scheme with message recovery” Electronics Letters, Vol. 29, No. 25, (1993), pp. 2185.[6] Chenn Zhi-Ming. “An improved encryption algorithm on ElGamal algorithm” Computer Applications and Software, 2005, 22 (2): 82-85.[7] Wang Li, Xing Wei, Xu Guang-zhong. “ElGamal public-key cryptosystem based on integral quaternions” Computer Applications, 2008, 28(5):1156-1157.[8] Lu Hong-wen, Sun Yu-hua. “A Public-key Cryptography Using Integral Quaternions”. Journal of Tong Ji University, 2003, 31(12)[9] Huang Zhen-Jie, Wang Yu-min, Chen Ke-fei “Generalization and improvement of Nyberg-Rueppel message recovery blind signatures” [J]. Journal on Communications, 2005, 26(12): 131-135.[10] CHEN Hui-yan, LB Shu-wang, Liu Zhen-hua. Identity Based Signature Scheme with Partial Message Recovery [J]. Chinese Journal of Computers, 2006, 29 (9): 1622- 1627.[11] Cao Tian-jie, Lin Dong-dai. “Security analysis of a signature scheme with message recovery” Journal of Zhejiang University (Science Edition), 2006, 33 (4): 396~ 397[12] Kan Yuan-ping. “A Signature Scheme wit h Message Recovery Based on Elliptic Curves”. Computer engineering and science, 2010, 32(2): 58-59.[13] Haipeng Chen, Xuanjing Shen and Yingda Lv, “An Implicit ElGamal Digital Signature Scheme”, Journal of Software, vol. 6, no. 7, July 2011[14] Nyberg K. and Rueppel R.A. “message recovery for signature schemes based on the discrete logarithm problem” in EUROCRYPT, 1995, 182~193.[15] Wang Qing- ju, Kang Bao- yuan, Han Jin- guang “Several new ElGamal Type Digital Signature Schemes and Their Enhanced Schemes” [J] Journal of East China Jiaotong University, 2005, 22(5): 127-138 196
  9. 9. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME[16] Zhang Hui-ying, Zhang Jun. “Research and Design of an Improved ElGamal Digital Signature Scheme” [J] Computer Engineering and Science, 2009, 31(12): 35-38.[17] K. Nyberg and R. A. Rueppel “A new signature scheme based on the DSA giving message recovery” In Proc. of 1st ACM conference on communication and computer security, pages 58–61, 1993.[18] M. Abe and T. Okamoto “A signature scheme with message recovery as secure as discrete logarithm” In Proc. of ASIACRYPT’99, volume 1716 of LNCS, pages 378–389. Springer- Verlag,1999.[19] C. Y. Yeun. “Digital signature with message recovery and authenticated encryption (signcryption) – a comparison” In IMA - Cryptography and Coding’99, volume 1746 of LNCS, pages 307–312, 1999.[20] Said Kalkan, Kamer Kaya, Ali Aydin Selcuk, “Generalized ID-Based ElGamal Signatures with Message Recovery”, ISCIS 2007.[21] Haipeng Chen, Xuanjing Shen and Yingda Lv, “An Implicit ElGamal Digital Signature Scheme”, Journal of software, Vol. 6, No. 7, 2011, pages 1329-1336.[22] Omar Khadir, “New Variant of ElGamal Signature Scheme”, Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653 – 1662.[23] Patrick Horster, Markus Michels, Holger Petersen, “Meta Message Recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications”, TR-94-9.[24] Haipeng Chen, Xuanjing Shen, Yingda Lv, Jiaying Lin, “An Improved ElGamal Digital Signature Algorithm Based on Adding a Random Number”, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing[25] Sujata Mohanty, Banshidhar Majhi, “A Digital Signature Scheme with message recovery and without one-way hash function” 2010 International Conference on Advances in Computer Engineering, pages 265-267.[26] Zhang Jun, Zhang Hui Ying, Ji Wei Dong, “ElGamal Digital Signature Scheme with a Private Key Pairs” Information Engineering and Computer Science (ICIECS), 2010, pages 1-5.AUTHORS Saima Salmaz, Assistant professor of computer science and engineering at GNIT Greater Noida since 2011, received her B.Tech degree in CSE from Jamia Millia Islamia University in year 2009 and M.Tech Degree from MDU Rohtak in the year 2011. In year 2012, was worked as summer research faculty fellow at IIT Delhi. Dr. Ram Lal is a faculty in Computer Services Centre at Indian Institute of Technology Delhi, Hauz-khas, New Delhi 110016, India. His areas of interest are object-oriented programming, Matlab Programming, information technology, e-governance application and system administration. His publications have appeared in various leading journals and international conferences. 197