International Journal of Computer Engineering and Technology ENGINEERING (IJCET), ISSN 0976INTERNATIONAL JOURNAL OF COMPUTER 6367(Print), ISSN 0976

6375(Online) Volume 4, Issue 2, March April (2013), IAEME & TECHNOLOGY (IJCET)

ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), pp. 189-197 IAEME: www.iaeme.com/ijcet.asp Journal Impact Factor (2013): 6.1302 (Calculated by GISI) www.jifactor.com

IJCET
IAEME

THE EFFICIENT DIGITAL SIGNATURE TECHNIQUE WITH MESSAGE RECOVERY BASED ON ELGAMAL
Saima Salmaz1, Ram Lal2
1

Department of computer science and engineering, GNIT, Greater Noida, India 2 Computer Services Center, IIT Delhi, India

ABSTRACT The digital signature scheme allows authenticating documents with non-repudiation and data integrity. The problem of ElGamal digital signature scheme is that, the message recovery is not provided and its security is constantly being challenged. The security disadvantage of the original ElGamal algorithm is that, it has only one random number. In order to improve its security, the proposed scheme adds one more random number. The security of the proposed signature scheme is the same with the ElGamal signature scheme which is based on the difficult computable nature of discrete logarithm over finite fields. In this paper, the algorithm is proposed to enhance the security and usage of more random number to make algorithm more complicated, which can also make the link between the random number and the key more complicated. The attacks like forgery and parameter reduction are also not applicable on it. The length of the message is independent, so it is suitable for long messages. KEYWORDS Public key cryptography, ElGamal signature scheme, Discrete logarithm problem, Blind digital signature. 1. INTRODUCTION A digital signature scheme with message recovery is also known as blind signature scheme. The scheme in which original message is not required at the time of verification of the document. The original message is appended to the signature and recovered at the time of message recovery process and the recovered message is then used to verify the documents [1]. The first concept of digital signature with message recovery was proposed in 1978 [2]
189

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

and based on that in the past years, many approaches are given that are on discrete logarithm problems with the concept of message recovery in digital signature techniques [3-5], [21]. The Schnorr and DSA are the methods based on ElGamal digital signature technique [22]. All the public key algorithms are practically slower than the symmetric key algorithms at the time of encryption and decryption [6-8]. There are many digital signature schemes that do not provide message recovery technique such as MD5, SHA, SHA-152 etc. But message recovery techniques have many advantages such as for any plain-text it will produce different digital signatures every time when we run its algorithm because it uses randomly chosen parameters to generate the digital signatures. The size and length of the signatures depend on the plain-text in the case of message recovery, but fixed in the case of digital signature schemes without message recovery [9-13]. There are many signatures schemes that have been improved which are based on ElGamal digital signature scheme. The message recovery and verification features are added in those schemes [14-16]. The Nyberg and Rueppel had proposed ElGamal signature scheme with message recovery in 1993 [17] and after this many schemes were given [14], [18], [19], [20]. Our purpose is to improve the functionality of ElGamal digital signature by adding the property of message recovery and increase security. The proposed technique is based on discrete logarithmic problem and its properties. 2. LITERATURE REVIEW The main problem with the ElGamal digital signature scheme was message recovery. The original ElGamal scheme does not contain message recovery techniques and some attacks are possible on it [22]. Nyberg and Rueppel [4] introduced the signatures schemes based on DLP with message recovery which has been adopted in the recent IEEE standards. In the year 1999, M Abe, T Okamoto [18] also explained the digital signature techniques with message recovery based on DLP; they explained the new method of message recovery. Omar Khadir [22] provides the details on the possible attacks on the security of ElGamal digital signature. Chen, Shen & Lv [21] introduced the new modified scheme which is the variant of ElGamal and existing attacks are impossible on it. Then they improved the scheme according to the existing problems of ElGamal digital signature scheme, and proposed an implicit ElGamal type digital signature scheme with the function of message recovery. The new implicit signature scheme with the function of message recovery was formed, after having tried to hid part of signature message and refining forthcoming implicit type signature scheme. They also analyses the safety of the refined scheme, and their results indicate that the new scheme is better than the old one [21].Signature schemes with message recovery provide the feature that the message is recoverable from the signature and hence does not need to be transmitted separately. Recently a number of ID-based signatures schemes with message recovery have been proposed. Kalkan, Kaya & Selcuk [20] introduced the generalized IDbased ElGamal signatures with message recovery. Their previously proposed ID-based signature schemes with message recovery turn out to be special instances of their generalized scheme. They also obtain several new ID-based signatures with message recovery from this generalized scheme which have not been explored before [20]. There have been several approaches in the past to obtain signature schemes with message recovery based on the discrete logarithm problem. Horster, Michels & Petersen [23] generalizes this approach into a Meta-Message recovery scheme by applying the ideas of the Meta-ElGamal signature scheme. They also provide a Meta-blind signature schemes which have been developed from the ElGamal based blind signature scheme. From their Meta schemes we can get various
190

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

variants from which some are more efficient then the already known ones. They also recommended this for practical use. In their paper, they have given interesting applications of the presented Meta-schemes like authentic encryption schemes, key distribution protocols and authentication schemes [23].With the wide application of ElGamal digital signature scheme, its security is usually being challenged and the problem becomes increasingly serious. In order to resolve the security decline, caused by the ElGamal signature scheme which uses only one random number, a modified scheme was proposed by Chen, Shen, Lv and Lin [24]. They add a random number to the scheme in order to increase the difficulty of deciphering key, and therefore improve the security correspondingly. As same as the ElGamal signature scheme, the improved signature scheme is also based on the difficulty in discrete logarithm finite field. Eventually the improved signature scheme was analyzed on security and time complexity. The analysis shows that the security of the improved signature scheme is higher than original one, and has a relatively low time complexity [24].A digital signature scheme allows one to sign an electronic message and later the produced signature can be validated by the owner of the message or by any verifier. Most of the existing digital signature schemes were developed based on the use of hash function and massage redundancy to resist against forgery attack. Mohanty & Majhi [25] proposed a signature scheme with message recovery and without using one way hash function which is secure and practical. They also showed that the proposed scheme is secure against the parameter reduction attack and forgery attack. Security of their scheme is based on the complexity of solving the discrete logarithm problem and integer factorization. Their proposed scheme does not use message redundancy and is also suitable to provide signature on long messages [25]. ElGamal public-key cryptosystem is an international public-key cryptosystem, and also is a more effective and secure algorithms used to secret communication networks and digital signature. It is the foundation of many special-purpose digital signatures. But ElGamal digital signature algorithm exist a security flaw that random numbers cannot repeated usage. Jun, Ying and Dong [26] puts forward an improving method aimed at the security flaw, and makes security analysis to the improved algorithm, and proves its correctness in their paper[26]. 3. ELGAMAL DIGITAL SIGNATURE ALGORITHM The parameters on which the system is based are, the large prime number p and primitive root g of mod p (g the generator of Zp*). At Bobs side: signer randomly generates an integer x (such that 1 < x< p -1), x is private key. Public key calculated by the Bob is y =g x mod p (3.1) y is a public key. For plain text m, where 1mp-1, Bob selects arbitrary an integer K, such that GCD (K, p-1) =1. Signature generation: Bob seeks signature text (R, S) R = g K mod p (3.2) And m = x R + KS mod (p -1) or S = K-1 1(m x R) mod (p -1) (3.3)
191

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

Signature verification: Alice authenticates the signature (R, S) g m y R RS mod p (3.4). If the result of (3.4) is correct, and (R, S) is genuine signature of m, otherwise it is illegal. For ElGamal digital signature, because it is based on discrete logarithm problem, if solving the discrete logarithm, we can find private key x of Bob by y and g, when p is not a very large. As the k non-reusable, in practice, we must remember the random number has been used, since the signature is used to compare later. In the network information so advanced today, no doubt that the ElGamal digital signature algorithm is a fatal defect [26]. To reduce this defect, we can introduce more random numbers to increase the link between the random number and signature. And this random number and the original position and role of the private key are same. Private keys from one to two, the introduction of random number has a direct connection with signature, and does not change the overall structure of the original algorithm. According to the methods analysis to the attacking on random number, it was found that if the random number is insecure then, hacker can easily calculate the value of random numbers or the value of the key. It is resulted from the analysis that it is easier to hack the random number than hack the key. It can be seen that there is no essential difference between the random number k and the private key x. 4. IMPROVED DIGITAL SIGNATURE ALGORITHM The difference between the proposed algorithm and the original ElGamal digital signature algorithm is mainly reflected in increasing more random numbers and unknown values. By increasing more equations like (3.2) & (3.3), the original algorithm will become complicated and more difficult to decipher. . The proposed algorithm is as follow: Step 1: A large prime number p is produced by system, g is a generator of Zp*, x (1xp1).is the signer's private key, the corresponding signature public key Y can be calculated as Y = g x mod p. (4.1) This is opened to the public to verify digital signature. Now, public key is [p, g, y] and private key is [x]. Step 2: Two different random numbers K and t are randomly selected by system where t, k and x must be co-prime (and 1 t, K p-1). Step 3: Calculate digital signature of the message M where 1Mp-1. R = g K mod p (4.2) S = (K + Rx) mod p-1 (4.3) V = M * gt mod p (4.4) Z = (t +SV) mod p-1 (4.5) Now, digital signature is [R, V, Z] Step 4: The signature of plain text M is [R, V, Z] is sent to the corresponding customers by system. The customers use the following equation to verify the correctness of plaintext M digital signatures.
192

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

1. Recovery of the message M M = V *g Z * RV * YRV mod p (4.6) Proof of Message recovery: M = V * g Z * RV * YRV = M * gt g Z * RV YRV by (4.4) = M * gt g Z * gKV YRV by (4.2) = M * gt g Z * gKV * gx R V by (4.1) = M * gt g Z * gV(K + Rx) = M * gt g Z * gV(S) by (4.3) = M * gt g t +SV * gV(S) by (4.4) = M * g t + SVVSt = M * g 0 = M original message 2. Verification of Digital signature V1 = M V mod p (4.7) V2 = (V (g Z (R * Y R) V)) V mod p (4.8) If V1 = V2, then signature is genuine and original message is recovered. If V1 V2, then signature is not genuine and original message is not recovered. Proof of verification equation: V2 = (V (g Z (R * YR)V)) V mod p = VV * (g Z (R * YR)V) V mod p = M V * g t V * (g Z (R * YR)V) V mod p by (4.4) = M V * g t V * (g Z (RV * YV R )) V mod p = M V * g t V * (g Z (gkV * gx V R)) V mod p by (4.1) & (4.2) = M V * g t V * (g t +SV * gkV * gx V R) V mod p by (4.5) = M V * g t V * (g t +SV * g V (K + Rx)) V mod p = M V * g t V * (g t +SV * g V(S)) V mod p by (4.3) = M V * g t V * (g t +SVVS) V mod p = M V * g t V * (g t)V mod p = M V * g0 mod p = M V mod p = V1 In the above-mentioned proposed ElGamal digital signature algorithm, the same message M corresponded to the different digital signature (R, V, Z) for the different random number K, t. And they can be all verified through the equations above and improves the uncertainty of the signature, because k & t are co-prime and in equations t, S, K and x are unknown values. This helps in improving the security.
193

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

Start

1. 2. 3.

Choose a large prime number p Select Primitive root modulo g of p

A private key x where 1xp

Calculate a key y y=g x mod p.

Private Key [x] Signature Generation Calculate digital signature of message M, where 1Mp Choose random numbers K & t where t, K and x must be co-prime (and 1 t, K p-1). R = g K mod p S = (K + Rx) mod p-1 V = M * g t mod p Z = t + SV mod p-1

Public Key [p, g, y]

Digital Signature [R, V, M]

Message Recovery

M = V *g Z *R V *Y R V mod p

Signature Verification V1 = M V mod p V2 = (V (g Z (R* YR) V)) V mod p

If V1=V2 Signature is genuine and original message is recovered.

If V1V2 Signature is not genuine And original message is not recovered.

Figure (1) Flow chart of proposed Digital signature technique

5. RESULT AND DISCUSSION The proposed algorithm is executed on matlab and based on the outcomes the result has been discussed. Our proposed scheme completely withstand with the message recovery technique that is an improvement to the previously proposed digital signature schemes. Discrete logarithmic problem plays a very important role in selection of keys and generation of digital signature. As compared to previously proposed schemes based on ElGamal we have used two random numbers (t & K) to make the algorithm more secure. The values of t, x & K are used to generate the digital signature and are unknown and random. S is one intermediate
194

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

value that is unknown by the verifier and dependent on t and x. The proposed scheme recover message from the signature itself otherwise it will give an error. The message The quick brown fox jumps over the lazy dog is used to generate the digital signature for large prime numbers and the result has been compared on the basis of execution time and security of algorithm.
Prime number 11483 19913 1999 Primitive modulo generation (sec) 78.5278 208.6068 5.6546 Key selections (public Key) P g y (11483,1432,10375) (19913, 939, 17743) (1999, 1761, 782) Message recovery (sec) 1.5414 10.0790 0.0910 Signature Verification (sec) 0.0030 0.0057 0.0011

As we can see in the above table, if we take very large prime number then it is difficult to compute discrete logarithm problem over Zp. The primitive modulo generation take more time for larger value of prime number p but message recovery and verification takes nearly the same time. 5.1 Attack to recovery of private key of signer It is almost difficult to compute the discrete logarithm problem over Zp when p is a large prime number and k & t are two random and unknown numbers. Therefore, it is difficult to solve three unknown values S, K & x in equation 4.3 and to recover private key of signer. 5.2 Forgery Attack It is difficult to find x because S, k and x all are unknown in equation 4.3. For given V, t is unknown and difficult to compute Zp (as p is a large prime number). If V and Z both are known then also it is difficult to solve the equation 4.5 because there are two unknown values t and S in equation 4.5. Hence our scheme is secure. 5.3 Suitable for long messages This scheme is suitable for long message because message m is not in exponent as in Kang et al.s scheme, therefore if message is large then also is not impractical and very difficult to solve this equation 4.4. 6. CONCLUSION The signature scheme proposed above can recover message from the signature itself and parameter reduction attack is not applicable on it. The scheme fully supports the message recovery feature, as message can easily recovered from the signature, so there is no need to send message along with the signature. It is also proved in Section 4 that the proposed scheme is more secure due to the use of more random values (K & t) and S is also an implicit value. Key generation use safe and large primes. We can also use this for signing large documents such as files etc. Hence the proposed signature scheme can be applicable in areas like e-banking, e-commerce, and e-voting.

195

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

ACKNOWLEDGEMENTS I acknowledge my sincere and deep indebtedness to my mentor for his valuable guidance, keen interest and encouragement throughout this work. I also acknowledge my sincere gratitude to authorities of IIT Delhi and other technical staff of Computer services center for their help and assistance. I am also thankful to my fellow faculty research members for their cooperation. REFERENCES [1] An Efficient ID-based Digital Signature with Message Recovery Based on Pairing, Raylin Tso and Chunxiang Gu and Takeshi Okamoto and Eiji Okamoto, 2007, ISBN: 3-540-76968-4 978-3-540-76968-2. R. L. Rivest, A. Shamir, L. Adleman A method for obtaining digital signatures and public-key cryptosystems, Comm. of the ACM, Vol. 21, (1978), S. 120-126. K. Nyberg, R. Rueppel, A new signature scheme based on the DSA giving message recovery, Proc. 1st ACM Conference on computer and Communications Security, Fairfax, Virginia, Nov, 3-3.,(1993), 4 pages. K. Nyberg, R. Rueppel, "Message recovery for signature schemes based on the discrete logarithmic problem , Pre-proceedings of Eurocrypt 94, University of Perugia, Italy, (1994), pp. 175-190. J. M. Piveteau, New signature scheme with message recovery Electronics Letters, Vol. 29, No. 25, (1993), pp. 2185. Chenn Zhi-Ming. An improved encryption algorithm on ElGamal algorithm Computer Applications and Software, 2005, 22 (2): 82-85. Wang Li, Xing Wei, Xu Guang-zhong. ElGamal public-key cryptosystem based on integral quaternions Computer Applications, 2008, 28(5):1156-1157. Lu Hong-wen, Sun Yu-hua. A Public-key Cryptography Using Integral Quaternions. Journal of Tong Ji University, 2003, 31(12) Huang Zhen-Jie, Wang Yu-min, Chen Ke-fei Generalization and improvement of Nyberg-Rueppel message recovery blind signatures [J]. Journal on Communications, 2005, 26(12): 131-135. CHEN Hui-yan, LB Shu-wang, Liu Zhen-hua. Identity Based Signature Scheme with Partial Message Recovery [J]. Chinese Journal of Computers, 2006, 29 (9): 16221627. Cao Tian-jie, Lin Dong-dai. Security analysis of a signature scheme with message recovery Journal of Zhejiang University (Science Edition), 2006, 33 (4): 396~ 397 Kan Yuan-ping. A Signature Scheme wit h Message Recovery Based on Elliptic Curves. Computer engineering and science, 2010, 32(2): 58-59. Haipeng Chen, Xuanjing Shen and Yingda Lv, An Implicit ElGamal Digital Signature Scheme, Journal of Software, vol. 6, no. 7, July 2011 Nyberg K. and Rueppel R.A. message recovery for signature schemes based on the discrete logarithm problem in EUROCRYPT, 1995, 182~193. Wang Qing- ju, Kang Bao- yuan, Han Jin- guang Several new ElGamal Type Digital Signature Schemes and Their Enhanced Schemes [J] Journal of East China Jiaotong University, 2005, 22(5): 127-138
196

[2] [3]

[4]

[5] [6] [7] [8] [9]

[10]

[11] [12] [13] [14] [15]

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME
[16] [17] Zhang Hui-ying, Zhang Jun. Research and Design of an Improved ElGamal Digital Signature Scheme [J] Computer Engineering and Science, 2009, 31(12): 35-38. K. Nyberg and R. A. Rueppel A new signature scheme based on the DSA giving message recovery In Proc. of 1st ACM conference on communication and computer security, pages 5861, 1993. M. Abe and T. Okamoto A signature scheme with message recovery as secure as discrete logarithm In Proc. of ASIACRYPT99, volume 1716 of LNCS, pages 378389. SpringerVerlag,1999. C. Y. Yeun. Digital signature with message recovery and authenticated encryption (signcryption) a comparison In IMA - Cryptography and Coding99, volume 1746 of LNCS, pages 307312, 1999. Said Kalkan, Kamer Kaya, Ali Aydin Selcuk, Generalized ID-Based ElGamal Signatures with Message Recovery, ISCIS 2007. Haipeng Chen, Xuanjing Shen and Yingda Lv, An Implicit ElGamal Digital Signature Scheme, Journal of software, Vol. 6, No. 7, 2011, pages 1329-1336. Omar Khadir, New Variant of ElGamal Signature Scheme, Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653 1662. Patrick Horster, Markus Michels, Holger Petersen, Meta Message Recovery and Meta Blind signature schemes based on the discrete logarithm problem and their applications, TR-94-9. Haipeng Chen, Xuanjing Shen, Yingda Lv, Jiaying Lin, An Improved ElGamal Digital Signature Algorithm Based on Adding a Random Number, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing Sujata Mohanty, Banshidhar Majhi, A Digital Signature Scheme with message recovery and without one-way hash function 2010 International Conference on Advances in Computer Engineering, pages 265-267. Zhang Jun, Zhang Hui Ying, Ji Wei Dong, ElGamal Digital Signature Scheme with a Private Key Pairs Information Engineering and Computer Science (ICIECS), 2010, pages 1-5.

[18]

[19]

[20] [21] [22] [23] [24]

[25]

[26]

AUTHORS

Saima Salmaz, Assistant professor of computer science and engineering at GNIT Greater Noida since 2011, received her B.Tech degree in CSE from Jamia Millia Islamia University in year 2009 and M.Tech Degree from MDU Rohtak in the year 2011. In year 2012, was worked as summer research faculty fellow at IIT Delhi.

Dr. Ram Lal is a faculty in Computer Services Centre at Indian

Institute of Technology Delhi, Hauz-khas, New Delhi 110016, India. His areas of interest are object-oriented programming, Matlab Programming, information technology, e-governance application and system administration. His publications have appeared in various leading journals and international conferences.

197