Efficient Digital Signature Technique with Message Recovery Based on ElGamal

INTERNATIONALComputer Engineering and Technology ENGINEERING
International Journal of JOURNAL OF COMPUTER (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
& TECHNOLOGY (IJCET)

ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online) IJCET
Volume 4, Issue 2, March – April (2013), pp. 189-197
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)
©IAEME
www.jifactor.com

THE EFFICIENT DIGITAL SIGNATURE TECHNIQUE WITH
MESSAGE RECOVERY BASED ON ELGAMAL

Saima Salmaz1, Ram Lal2
1
Department of computer science and engineering, GNIT, Greater Noida, India
2
Computer Services Center, IIT Delhi, India

ABSTRACT

The digital signature scheme allows authenticating documents with non-repudiation
and data integrity. The problem of ElGamal digital signature scheme is that, the message
recovery is not provided and its security is constantly being challenged. The security
disadvantage of the original ElGamal algorithm is that, it has only one random number. In
order to improve its security, the proposed scheme adds one more random number. The
security of the proposed signature scheme is the same with the ElGamal signature scheme
which is based on the difficult computable nature of discrete logarithm over finite fields. In
this paper, the algorithm is proposed to enhance the security and usage of more random
number to make algorithm more complicated, which can also make the link between the
random number and the key more complicated. The attacks like forgery and parameter
reduction are also not applicable on it. The length of the message is independent, so it is
suitable for long messages.

KEYWORDS

Public key cryptography, ElGamal signature scheme, Discrete logarithm problem,
Blind digital signature.

1. INTRODUCTION

A digital signature scheme with message recovery is also known as blind signature
scheme. The scheme in which original message is not required at the time of verification of
the document. The original message is appended to the signature and recovered at the time of
message recovery process and the recovered message is then used to verify the documents
[1]. The first concept of digital signature with message recovery was proposed in 1978 [2]
189

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-

and based on that in the past years, many approaches are given that are on discrete logarithm
problems with the concept of message recovery in digital signature techniques [3-5], [21].
The Schnorr and DSA are the methods based on ElGamal digital signature technique [22].
All the public key algorithms are practically slower than the symmetric key algorithms at the
time of encryption and decryption [6-8]. There are many digital signature schemes that do not
provide message recovery technique such as MD5, SHA, SHA-152 etc. But message
recovery techniques have many advantages such as for any plain-text it will produce different
digital signatures every time when we run its algorithm because it uses randomly chosen
parameters to generate the digital signatures. The size and length of the signatures depend on
the plain-text in the case of message recovery, but fixed in the case of digital signature
schemes without message recovery [9-13]. There are many signatures schemes that have been
improved which are based on ElGamal digital signature scheme. The message recovery and
verification features are added in those schemes [14-16]. The Nyberg and Rueppel had
proposed ElGamal signature scheme with message recovery in 1993 [17] and after this many
schemes were given [14], [18], [19], [20]. Our purpose is to improve the functionality of
ElGamal digital signature by adding the property of message recovery and increase security.
The proposed technique is based on discrete logarithmic problem and its properties.

2. LITERATURE REVIEW

The main problem with the ElGamal digital signature scheme was message recovery.
The original ElGamal scheme does not contain message recovery techniques and some
attacks are possible on it [22]. Nyberg and Rueppel [4] introduced the signatures schemes
based on DLP with message recovery which has been adopted in the recent IEEE standards.
In the year 1999, M Abe, T Okamoto [18] also explained the digital signature techniques with
message recovery based on DLP; they explained the new method of message recovery. Omar
Khadir [22] provides the details on the possible attacks on the security of ElGamal digital
signature. Chen, Shen & Lv [21] introduced the new modified scheme which is the variant of
ElGamal and existing attacks are impossible on it. Then they improved the scheme according
to the existing problems of ElGamal digital signature scheme, and proposed an implicit
ElGamal type digital signature scheme with the function of message recovery. The new
implicit signature scheme with the function of message recovery was formed, after having
tried to hid part of signature message and refining forthcoming implicit type signature
scheme. They also analyses the safety of the refined scheme, and their results indicate that the
new scheme is better than the old one [21].Signature schemes with message recovery provide
the feature that the message is recoverable from the signature and hence does not need to be
transmitted separately. Recently a number of ID-based signatures schemes with message
recovery have been proposed. Kalkan, Kaya & Selcuk [20] introduced the generalized ID-
based ElGamal signatures with message recovery. Their previously proposed ID-based
signature schemes with message recovery turn out to be special instances of their generalized
scheme. They also obtain several new ID-based signatures with message recovery from this
generalized scheme which have not been explored before [20]. There have been several
approaches in the past to obtain signature schemes with message recovery based on the
discrete logarithm problem. Horster, Michels & Petersen [23] generalizes this approach into a
Meta-Message recovery scheme by applying the ideas of the Meta-ElGamal signature
scheme. They also provide a Meta-blind signature schemes which have been developed from
the ElGamal based blind signature scheme. From their Meta schemes we can get various
190


variants from which some are more efficient then the already known ones. They also
recommended this for practical use. In their paper, they have given interesting applications of
the presented Meta-schemes like authentic encryption schemes, key distribution protocols
and authentication schemes [23].With the wide application of ElGamal digital signature
scheme, its security is usually being challenged and the problem becomes increasingly
serious. In order to resolve the security decline, caused by the ElGamal signature scheme
which uses only one random number, a modified scheme was proposed by Chen, Shen, Lv
and Lin [24]. They add a random number to the scheme in order to increase the difficulty of
deciphering key, and therefore improve the security correspondingly. As same as the
ElGamal signature scheme, the improved signature scheme is also based on the difficulty in
discrete logarithm finite field. Eventually the improved signature scheme was analyzed on
security and time complexity. The analysis shows that the security of the improved signature
scheme is higher than original one, and has a relatively low time complexity [24].A digital
signature scheme allows one to sign an electronic message and later the produced signature
can be validated by the owner of the message or by any verifier. Most of the existing digital
signature schemes were developed based on the use of hash function and massage
redundancy to resist against forgery attack. Mohanty & Majhi [25] proposed a signature
scheme with message recovery and without using one way hash function which is secure and
practical. They also showed that the proposed scheme is secure against the parameter
reduction attack and forgery attack. Security of their scheme is based on the complexity of
solving the discrete logarithm problem and integer factorization. Their proposed scheme does
not use message redundancy and is also suitable to provide signature on long messages [25].
ElGamal public-key cryptosystem is an international public-key cryptosystem, and also is a
more effective and secure algorithms used to secret communication networks and digital
signature. It is the foundation of many special-purpose digital signatures. But ElGamal digital
signature algorithm exist a security flaw that random numbers cannot repeated usage. Jun,
Ying and Dong [26] puts forward an improving method aimed at the security flaw, and makes
security analysis to the improved algorithm, and proves its correctness in their paper[26].

3. ELGAMAL DIGITAL SIGNATURE ALGORITHM

The parameters on which the system is based are, the large prime number p and
primitive root g of mod p (g the generator of Zp*). At Bob’s side: signer randomly generates
an integer x (such that 1 < x< p -1), x is private key. Public key calculated by the Bob is

y =g x mod p (3.1)

y is a public key.
For plain text m, where 1≤m≤p-1, Bob selects arbitrary an integer K, such that GCD (K, p-1)
=1.
Signature generation: Bob seeks signature text (R, S)

R = g K mod p (3.2)

And m = x R + KS mod (p -1) or

S = K-1 1(m – x R) mod (p -1) (3.3)
191


Signature verification: Alice authenticates the signature (R, S)

g m ≡ y R RS mod p (3.4).

If the result of (3.4) is correct, and (R, S) is genuine signature of m, otherwise it is
illegal. For ElGamal digital signature, because it is based on discrete logarithm problem, if
solving the discrete logarithm, we can find private key x of Bob by y and g, when p is not a
very large. As the k non-reusable, in practice, we must remember the random number has
been used, since the signature is used to compare later. In the network information so
advanced today, no doubt that the ElGamal digital signature algorithm is a fatal defect [26].
To reduce this defect, we can introduce more random numbers to increase the link between
the random number and signature. And this random number and the original position and role
of the private key are same. Private keys from one to two, the introduction of random number
has a direct connection with signature, and does not change the overall structure of the
original algorithm.
According to the methods analysis to the attacking on random number, it was found
that if the random number is insecure then, hacker can easily calculate the value of random
numbers or the value of the key. It is resulted from the analysis that it is easier to hack the
random number than hack the key. It can be seen that there is no essential difference between
the random number k and the private key x.

4. IMPROVED DIGITAL SIGNATURE ALGORITHM

The difference between the proposed algorithm and the original ElGamal digital
signature algorithm is mainly reflected in increasing more random numbers and unknown
values. By increasing more equations like (3.2) & (3.3), the original algorithm will become
complicated and more difficult to decipher. .

The proposed algorithm is as follow:

Step 1: A large prime number p is produced by system, g is a generator of Zp*, x (1≤x≤p-
1).is the signer's private key, the corresponding signature public key Y can be calculated as
Y = g x mod p. (4.1)
This is opened to the public to verify digital signature. Now, public key is [p, g, y] and
private key is [x].
Step 2: Two different random numbers K and t are randomly selected by system where t,
k and x must be co-prime (and 1≤ t, K ≤p-1).
Step 3: Calculate digital signature of the message M where 1≤M≤p-1.
R = g K mod p (4.2)
S = (K + Rx) mod p-1 (4.3)
V = M * g–t mod p (4.4)
Z = (t +SV) mod p-1 (4.5)
Now, digital signature is [R, V, Z]
Step 4: The signature of plain text M is [R, V, Z] is sent to the corresponding customers by
system. The customers use the following equation to verify the correctness of plaintext M
digital signatures.

192


1. Recovery of the message M
M = V *g Z * R–V * Y–RV mod p (4.6)
Proof of Message recovery:
M = V * g Z * R–V * Y–RV
= M * g–t g Z * R–V Y–RV by (4.4)
= M * g–t g Z * g–KV Y–RV by (4.2)
= M * g–t g Z * g–KV * g–x R V by (4.1)
= M * g–t g Z * g–V(K + Rx)
= M * g–t g Z * g–V(S) by (4.3)
= M * g–t g t +SV * g–V(S) by (4.4)
= M * g t + SV–VS–t
= M * g 0 = M original message

2. Verification of Digital signature
V1 = M V mod p (4.7)
V2 = (V (g Z (R * Y R) –V)) V mod p (4.8)
If V1 = V2, then signature is genuine and original message is recovered.
If V1 ≠ V2, then signature is not genuine and original message is not recovered.
Proof of verification equation:
V2 = (V (g Z (R * YR)–V)) V mod p
= VV * (g Z (R * YR)–V) V mod p
= M V * g –t V * (g Z (R * YR)–V) V mod p by (4.4)
= M V * g –t V * (g Z (R–V * Y–V R )) V mod p
= M V * g –t V * (g Z (g–kV * g–x V R)) V mod p by (4.1) & (4.2)
= M V * g –t V * (g t +SV * g–kV * g–x V R) V mod p by (4.5)
= M V * g –t V * (g t +SV * g –V (K + Rx)) V mod p
= M V * g –t V * (g t +SV * g –V(S)) V mod p by (4.3)
= M V * g –t V * (g t +SV–VS) V mod p
= M V * g –t V * (g t)V mod p
= M V * g0 mod p
= M V mod p
= V1
In the above-mentioned proposed ElGamal digital signature algorithm, the same
message M corresponded to the different digital signature (R, V, Z) for the different random
number K, t. And they can be all verified through the equations above and improves the
uncertainty of the signature, because k & t are co-prime and in equations t, S, K and x are
unknown values. This helps in improving the security.
193


Start

1. Choose a large prime number p
2. Select Primitive root modulo g of p
3. A private key x where 1≤x≤p

Calculate a key y
y=g x mod p.

Private Key [x] Public Key [p, g, y]

Signature Generation

Calculate digital signature of message M,
where 1≤M≤p
Digital Signature [R, V, M] Message Recovery
Choose random numbers K & t where t, K
and x must be co-prime (and 1≤ t, K ≤p-1).
R = g K mod p M = V *g Z *R –V *Y –R V mod p
S = (K + Rx) mod p-1
V = M * g –t mod p
Signature Verification
Z = t + SV mod p-1
V1 = M V mod p
V2 = (V (g Z (R* YR) –V)) V mod p

If V1=V2 If V1≠V2

Signature is genuine and Signature is not genuine
original message is And original message is not
recovered. recovered.

Figure (1) Flow chart of proposed Digital signature technique

5. RESULT AND DISCUSSION

The proposed algorithm is executed on matlab and based on the outcomes the result
has been discussed. Our proposed scheme completely withstand with the message recovery
technique that is an improvement to the previously proposed digital signature schemes.
Discrete logarithmic problem plays a very important role in selection of keys and generation
of digital signature. As compared to previously proposed schemes based on ElGamal we have
used two random numbers (t & K) to make the algorithm more secure. The values of t, x & K
are used to generate the digital signature and are unknown and random. S is one intermediate
194


value that is unknown by the verifier and dependent on t and x. The proposed scheme recover
message from the signature itself otherwise it will give an error. The message “The quick
brown fox jumps over the lazy dog” is used to generate the digital signature for large prime
numbers and the result has been compared on the basis of execution time and security of
algorithm.
Prime Primitive modulo Key selections Message Signature
number generation (public Key) recovery Verification
(sec) P g y (sec) (sec)
11483 78.5278 (11483,1432,10375) 1.5414 0.0030
19913 208.6068 (19913, 939, 17743) 10.0790 0.0057
1999 5.6546 (1999, 1761, 782) 0.0910 0.0011

As we can see in the above table, if we take very large prime number then it is
difficult to compute discrete logarithm problem over Zp. The primitive modulo generation
take more time for larger value of prime number p but message recovery and verification
takes nearly the same time.
5.1 Attack to recovery of private key of signer
It is almost difficult to compute the discrete logarithm problem over Zp when p is a
large prime number and k & t are two random and unknown numbers. Therefore, it is
difficult to solve three unknown values S, K & x in equation 4.3 and to recover private key of
signer.
5.2 Forgery Attack
It is difficult to find x because S, k and x all are unknown in equation 4.3. For given
V, t is unknown and difficult to compute Zp (as p is a large prime number). If V and Z both
are known then also it is difficult to solve the equation 4.5 because there are two unknown
values t and S in equation 4.5. Hence our scheme is secure.
5.3 Suitable for long messages
This scheme is suitable for long message because message m is not in exponent as in
Kang et al.’s scheme, therefore if message is large then also is not impractical and very
difficult to solve this equation 4.4.

6. CONCLUSION

The signature scheme proposed above can recover message from the signature itself
and parameter reduction attack is not applicable on it. The scheme fully supports the message
recovery feature, as message can easily recovered from the signature, so there is no need to
send message along with the signature. It is also proved in Section 4 that the proposed
scheme is more secure due to the use of more random values (K & t) and S is also an implicit
value. Key generation use safe and large primes. We can also use this for signing large
documents such as files etc. Hence the proposed signature scheme can be applicable in areas
like e-banking, e-commerce, and e-voting.

195


ACKNOWLEDGEMENTS

I acknowledge my sincere and deep indebtedness to my mentor for his valuable
guidance, keen interest and encouragement throughout this work. I also acknowledge my
sincere gratitude to authorities of IIT Delhi and other technical staff of Computer services
center for their help and assistance. I am also thankful to my fellow faculty research members
for their cooperation.

REFERENCES

[1] An Efficient ID-based Digital Signature with Message Recovery Based on Pairing”,
Raylin Tso and Chunxiang Gu and Takeshi Okamoto and Eiji Okamoto, 2007,
ISBN: 3-540-76968-4 978-3-540-76968-2.
[2] R. L. Rivest, A. Shamir, L. Adleman “A method for obtaining digital signatures and
public-key cryptosystems”, Comm. of the ACM, Vol. 21, (1978), S. 120-126.
[3] K. Nyberg, R. Rueppel, “A new signature scheme based on the DSA giving message
recovery”, Proc. 1st ACM Conference on computer and Communications Security,
Fairfax, Virginia, Nov, 3-3.,(1993), 4 pages.
[4] K. Nyberg, R. Rueppel, "Message recovery for signature schemes based on the
discrete logarithmic problem “, Pre-proceedings of Eurocrypt ’94, University of
Perugia, Italy, (1994), pp. 175-190.
[5] J. M. Piveteau, “New signature scheme with message recovery” Electronics Letters,
Vol. 29, No. 25, (1993), pp. 2185.
[6] Chenn Zhi-Ming. “An improved encryption algorithm on ElGamal algorithm”
Computer Applications and Software, 2005, 22 (2): 82-85.
[7] Wang Li, Xing Wei, Xu Guang-zhong. “ElGamal public-key cryptosystem based on
integral quaternions” Computer Applications, 2008, 28(5):1156-1157.
[8] Lu Hong-wen, Sun Yu-hua. “A Public-key Cryptography Using Integral
Quaternions”. Journal of Tong Ji University, 2003, 31(12)
[9] Huang Zhen-Jie, Wang Yu-min, Chen Ke-fei “Generalization and improvement of
Nyberg-Rueppel message recovery blind signatures” [J]. Journal on Communications,
2005, 26(12): 131-135.
[10] CHEN Hui-yan, LB Shu-wang, Liu Zhen-hua. Identity Based Signature Scheme with
Partial Message Recovery [J]. Chinese Journal of Computers, 2006, 29 (9): 1622-
1627.
[11] Cao Tian-jie, Lin Dong-dai. “Security analysis of a signature scheme with message
recovery” Journal of Zhejiang University (Science Edition), 2006, 33 (4): 396~ 397
[12] Kan Yuan-ping. “A Signature Scheme wit h Message Recovery Based on Elliptic
Curves”. Computer engineering and science, 2010, 32(2): 58-59.
[13] Haipeng Chen, Xuanjing Shen and Yingda Lv, “An Implicit ElGamal Digital
Signature Scheme”, Journal of Software, vol. 6, no. 7, July 2011
[14] Nyberg K. and Rueppel R.A. “message recovery for signature schemes based on the
discrete logarithm problem” in EUROCRYPT, 1995, 182~193.
[15] Wang Qing- ju, Kang Bao- yuan, Han Jin- guang “Several new ElGamal Type Digital
Signature Schemes and Their Enhanced Schemes” [J] Journal of East China Jiaotong
University, 2005, 22(5): 127-138

196


[16] Zhang Hui-ying, Zhang Jun. “Research and Design of an Improved ElGamal Digital
Signature Scheme” [J] Computer Engineering and Science, 2009, 31(12): 35-38.
[17] K. Nyberg and R. A. Rueppel “A new signature scheme based on the DSA giving message
recovery” In Proc. of 1st ACM conference on communication and computer security, pages
58–61, 1993.
[18] M. Abe and T. Okamoto “A signature scheme with message recovery as secure as discrete
logarithm” In Proc. of ASIACRYPT’99, volume 1716 of LNCS, pages 378–389. Springer-
Verlag,1999.
[19] C. Y. Yeun. “Digital signature with message recovery and authenticated encryption
(signcryption) – a comparison” In IMA - Cryptography and Coding’99, volume 1746 of
LNCS, pages 307–312, 1999.
[20] Said Kalkan, Kamer Kaya, Ali Aydin Selcuk, “Generalized ID-Based ElGamal Signatures
with Message Recovery”, ISCIS 2007.
[21] Haipeng Chen, Xuanjing Shen and Yingda Lv, “An Implicit ElGamal Digital Signature
Scheme”, Journal of software, Vol. 6, No. 7, 2011, pages 1329-1336.
[22] Omar Khadir, “New Variant of ElGamal Signature Scheme”, Int. J. Contemp. Math.
Sciences, Vol. 5, 2010, no. 34, 1653 – 1662.
[23] Patrick Horster, Markus Michels, Holger Petersen, “Meta Message Recovery and Meta Blind
signature schemes based on the discrete logarithm problem and their applications”, TR-94-9.
[24] Haipeng Chen, Xuanjing Shen, Yingda Lv, Jiaying Lin, “An Improved ElGamal Digital
Signature Algorithm Based on Adding a Random Number”, 2010 Second International
Conference on Networks Security, Wireless Communications and Trusted Computing
[25] Sujata Mohanty, Banshidhar Majhi, “A Digital Signature Scheme with message recovery and
without one-way hash function” 2010 International Conference on Advances in Computer
Engineering, pages 265-267.
[26] Zhang Jun, Zhang Hui Ying, Ji Wei Dong, “ElGamal Digital Signature Scheme with a Private
Key Pairs” Information Engineering and Computer Science (ICIECS), 2010, pages 1-5.

AUTHORS

Saima Salmaz, Assistant professor of computer science and
engineering at GNIT Greater Noida since 2011, received her B.Tech
degree in CSE from Jamia Millia Islamia University in year 2009 and
M.Tech Degree from MDU Rohtak in the year 2011. In year 2012, was
worked as summer research faculty fellow at IIT Delhi.

Dr. Ram Lal is a faculty in Computer Services Centre at Indian
Institute of Technology Delhi, Hauz-khas, New Delhi 110016, India. His
areas of interest are object-oriented programming, Matlab Programming,
information technology, e-governance application and system
administration. His publications have appeared in various leading journals
and international conferences.

197

Efficient Digital Signature Technique with Message Recovery Based on ElGamal

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Efficient Digital Signature Technique with Message Recovery Based on ElGamal

Similaire à Efficient Digital Signature Technique with Message Recovery Based on ElGamal (20)

Plus de IAEME Publication

Plus de IAEME Publication (20)

Dernier

Dernier (20)

Efficient Digital Signature Technique with Message Recovery Based on ElGamal