The digital signature scheme permit users to sign messages that can
advertisement
Digital Signature Scheme with Message Recovery using Secure Primes and without using One Way Hash Function Sumit Kumar Manish Mittal Dept. of Computer Science and Engineering Quantum School of Technology Roorkee, India Dept. of Electronics & Comm. Engineering Quantum School of Technology Roorkee, India sumitaggarwal001@gmail.com manishbmittal@gmail.com ABSTRACT The digital signature scheme permit users to sign messages that can be validated by the owner of the message or it can be verified by any verifier. The majority of the digital signature schemes are based on the hash code generation to prevent against forgery attacks. In a recovery based digital signature scheme the message is concealed within the signature on the sender side. The receiver side firstly recovers the message and then the signature is validated by the receiver. In our work, we are presenting a digital signature scheme with message recovery characteristic and without using the one way hash function. The proposed scheme does not use message redundancy and conform to all the properties of digital signature. It is quite secure against forgery attack and uses the conception of secure prime for the generation of keys and primitive element. dispute. If the message is distributed then the receiver can validate that the claimed sender has sent the message. Digital signature provides the mechanism for the origin nonrepudiation but does not provide the functionality for the receiver nonrepudiation. Based on the size of message and computation power of devices, there are two modes of operation for digital signature [2]- A. Appendix Mode KEYWORDS Digital signature, message recovery, one way hash function, forgery attack, parameter reduction attack, secure prime number, discrete logarithm In appendix mode the creator of the message appends a code with the message that act as a signature. Typically the signature is produced by taking the hash of the message and encrypts it with the private key of sender. It prevents the signed message and the signature from unauthorized modification. In this mode the receiver need three parameters namely, the public key of signer, the message and the appended digital signature. During the verification, receiver input the message in the hash function and the hash value of signed message in used to validate authentication of the sender. I. INTRODUCTION B. Recovery mode As the internet use is continuously growing, the digital signature grows to be more vital than before. Digital signature systems provide the authority to a signer to transform any random message into a signed message in such a way that by using the public key of the signer anyone can validate the message, but only the signer can generate signed messages. Digital signature schemes provide the following services [1]: A. Sender Authentication Digital Signature ensures that the message comes from the alleged sender. Authentication must assure that the connection is not interfering by the third party in such a way that a third party can impersonate one of the two legal parties for unauthorized transmission or reception of messages. This type of service supports the application such as e-mail service where there is not prior interaction between the communicating parties. B. Data Integrity Digital signature ensures the authenticity of the message that it was not altered in transit. It protects against the inappropriate information modification or damage by adversary. The extent of message integrity varies from applied for the whole connection or on a particular message or on the particular field in the message. C. Non-Repudiation Digital signature ensures that sender of the message cannot deny sending of the message to recipient in case of any In message recovery mode the message is implanted in the digital signature by the sender of message. The receiver of the message require two parameters; the digital signature and public key of the signer to verify the message The receiver initially recovers the message from the digital signature and then verifies the signature. The advantage of this scheme is less computation cost as hash code need not to be computed and less communication overhead because message not required to be appended with signature separately. In many applications a digital signature scheme with message recovery is useful for signing small size messages such as date, time and other identifiers are signed in time stamping and email services. The rightness of the message is verified by using the message redundancy scheme. Furthermore, message recovery and one way hash function can be used to prevent against forgery attacks. The well-known digital signature proposal with message recovery characteristic is the RSA based digital signature system which is based on the complexity of factoring large integers [3]. Later Nyberg and Rueppel projected the discrete logarithm based method with message recovery [4]. Other digital signature schemes are also proposed with message recovery feature [5], [6]. Some of these schemes have the ability of encrypting to assure the privacy of signed messages [7], [8], [9]. Therefore, only the authorized receiver can recover the original message from the signature and verify its legitimacy. Recently, Kang’s et al. [10] proposed a new digital signature scheme with message recovery and state that their scheme preserved the properties of Shieh et al.’s [2] signature scheme. The memory requirement for using this scheme is greatly reduced. Moreover message redundancy scheme and one way hash function are not used. We propose a new digital signature scheme with message recovery aspect and without using one way hash function. It improves the Kang’s et al.’s scheme [10] and shown to be more secure due to use of safe primes and additional random numbers. The rest of the work organized as follows: We briefly present the analysis of Kang’s et al.’s scheme [10] in section II, the new scheme is presented in section III, after security analysis discussed in section IV, and the paper is concluded in section V. II. ANALYSIS OF KANG ET AL.’S SCHEME Kang’s et al.’s scheme consists of three phases, initiation phase, digital signature generation phase and digital signature verification phase. A brief depiction of each segment is given below. A. Initiation Phase 1) Let p be a large prime number and g is primitive element in GF (p). 2) The signer chooses its private key x, such as x< (p-1) and gcd(x,p-1)=1. 3) The public key is computed as Y=gx mod p. The signature generation involves following steps for a message m ∈ GF (p). B. Signature Generation Phase To sign a message m, the signer performs the following operations. 1) s= Ym mod p (1) 2) Selects a random numbers k in Zp and computes r as r = s + m*g(-k) (mod p) (2) 3) The signer computes t from the following expression s + t ≡ x-1 (k – r) mod (p-1) (3) 4) The signer then sends the triplet (r, s, t) to the receiver as the signature of the message m. C. Signature Verification Phase After receiving the signature(r, s, t), the verifier checks the authenticity of the signature by the performing the following operations. 1) It recovers the message m’ as m’ ≡ (r – s) Ys + t gr (mod p) (4) 2) Checks the authenticity of the signature by computing the following expression. S ≡ Ym’ (mod n) (5) If it holds, then the signature (r, s, t) is considered as a valid one generated by the signer of the recovered message m´. We have analyzed that the scheme have used the simple prime number p instead of using safe prime and used only one random number parameter in (2). So the scheme can be further improved to use in practical areas. phases namely, Initialization phase, signature generation phase and signature verification phase. The description of each phase is as below: A. Initialization Phase 1) 2) 3) 4) 5) A trusted third party chooses two primes p and q such that, p=2fp’+1 and q=2fq’+1, where f, p’ and q’ are distinct primes. The integer n is computed as a product of these two prime numbers p and q. Then it chooses a primitive element g in GF(n). Signer chooses its private key x ∈ Zn such that gcd(x,n-1)=1 (6) Signer determine its public key Y as Y=gx (mod n). (7) B. Signature Generation Phase Suppose sender U wants to send message m ∈ GF(n) by using proposed scheme then sender does the following: 1) Compute s = Ym mod n. (8) 2) Choose two random numbers u and k in GF(n) and compute r= s + m*g(u - k) (mod n). (9) 3) Compute t, such that s + t ≡ (x-1 (k – r – u)) mod (n-1). (10) 4) User U sends the signature (s, r, t) for message m to the receiver V. C. Signature verification phase After receiving the signature receiver V recover the message as 1) m’≡ (r – s) * Ys + t * gr mod n. (11) Because ≡ (m * g(u-k) * gx(s+t) * gr) mod n ≡ (m * g(u-k) * g(k-r-u) * gr) mod n ≡ (m * g(u-k+r) * g(k-r-u)) mod n ≡m 2) User V verify whether s = Ym’ mod n. (12) If (12) is verified successfully then the message will be accept as a valid message. The steps involved in digital signature generation and verification are concluded in table 1. IV. SECURITY ANALYSIS The proposed digital signature scheme is shown to fulfill all the properties of digital signature and can resist the attack to recover private key of signer. It is discussed that the scheme can resist the forgery attack. Finally the influences of discrete logarithm and random parameters are discussed. Table1. The proposed digital signature scheme Signature generation 1. 2. 3. s = Ym mod n r= s + m*g(u - k) (mod n) Compute t, such that s + t ≡ (x-1 (k – r – u)) mod (n-1) Signature verification 1. 2. Recover the message as m’≡ (r – s) * Ys + t * gr mod n Verify whether s = Ym’ mod n III. THE PROPOSED SCHEME The proposed scheme is an improvement over previous scheme which uses the safe prime generation algorithm. It conforms to properties of digital signature and proven to be more secure. The proposed scheme is described in three A. Comply with the Properties of Digital Signature [1] The verification phase (12) depends on the public key of the sender and recovered message hence it verifies the sender authentication and the integrity of the message. As the message recovery also depends on the private key of the sender; showed during recovery phase as an exponent of primitive root g, it obey the rule of nonrepudiation of the sender. REFERENCES B. Signature Forgery Attack [2] Shieh, S. P., Lin, C. T., Yang, W. B., and Sun, H. M. 2000. Digital multisignature schemes for authenticating delegates in mobile code systems” IEEE Trans. Veh. Technol., vol. 49, pp. 1464–1473. In order to verify a forged message as a valid one, the attacker need to first manipulate the triplet (s, r, t) to (s’,r’,t’) in such a way that (r’ – s’) Ys’+t’ gr’ mod n ≡ (r – s) Ys + t gr mod n (13) In which computing r and t are equivalent to solve the discrete problem in (9) and (10) for u, k and private key x which is impossible. C. Influence of Discrete Logarithm The proposed algorithm uses the prime number n to perform modular operations in (8) and (9). Consider the equation (7), for given g, n and x, it is easy to calculate Y. But for the given g, n and Y, it is very hard to compute x (private key). The complexity is same as factoring prime numbers in RSA [3]. At the present time [11], the best known algorithm for taking discrete logarithms modulo of a prime number is of the order of: 𝟏/𝟑 𝟐/𝟑 𝐞((𝐥𝐧 𝐩) (𝐥𝐧(𝐥𝐧 𝐩)) ) This is not feasible for large prime. D. More randomized parameters The computation of parameters r and s are assisted by two random numbers u and k which are of the order of n. There complexity lies in solving the discrete logarithm problem of the order n. However the kang’s scheme uses only one parameter in (2) for the computation of parameter r. Hence the proposed scheme is more secure as comparison to Kang’s et al.’s scheme. V. CONCLUSION In this paper, we proposed a message recovery based digital signature scheme on the foundation of Elgamal scheme [12]. Our scheme improves the security of Kang’s scheme [10] without using the one way hash function and message redundancy approach. It can resist the forgery attack and parameter reduction attack. The scheme is proven to be more secure as it makes use of the secure prime numbers and more random parameters in signature generation phase. It is better than the appendix mode schemes as it does not require the computation of hash codes for digital signature. The communication overhead is also low as the message need not to be sent independently along the signature. Hence this scheme is suitable for signing small messages and can be used on resource constrained mobile devices due to less computation cost, communication overhead and improved security. [1] William Stallings. 2013. Digital Signatures in Cryptography and Network Security, principles and practice. Fifth edition. [3] Rivest, M., Shamir, A., and Adleman, L., A. (1978). Method for obtaining digital signature and public-key cryptosystems. ACM Communications. vol. 21, pp. 120–126. [4] Nyberg, K., and Rueppel, R. A. 1993. A new signature scheme based on the DSA giving message recovery. 1st ACM Conference on Computer & Communications Security, Fairfax, USA, Nov. 1993. [5] Horster, P., Michels, M. and Petersen, H. (1994) Metamessage recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications. ASIACRYPT, Australia: NSW, pp. 224– 237, Dec. 1994. [6] Piveteau, J. M. (1993). New signature scheme with message recovery. Electron. Lett., vol. 29, no. 25, p. 2185, Dec. 1993. [7] Hwang, S. J., hang, C. C. and Yang, W. P. (1995). An encryption signature scheme with low message expansion. Chinese, J. Institute of Engineers, vol. 18, no. 4, pp. 591–595, 1995. [8] Lee, W. B. and Chang, C. C. (1995). Authenticated encryption scheme without using a one way function. Electron. Lett., vol. 31, no. 19, pp. 1656–1657, Sept. 1995. [9] Nyberg, K. and Rueppel, R. A. (1994). Message recovery for signature schemes based on the discrete logarithm problem. EURO-CRYPT’94 Perugia, Italy, pp. 182–193. May 1994. [10] Kang, L. and Tang, X. H. (2006). Digital signature scheme without hash functions and message redundancy. Journal on Communications, vol. 27, no.5, pp. 18-20, 2006. [11] Beth, T., Frisch, M. and Simmons, G. (1991). Public key cryptography: state of the art and future directions. Springer-verlag, New York, 1991. [12] ElGamal, T. (1985). A public key cryptosystem and a signature scheme based on discrete logarithm,” IEEE Trans. Inform. Theory, vol. IT-31, pp. 469–472, July 1985.
