Message recovery for signature schemes based on the discrete logarithm problem
The new signature scheme presented by the authors in  is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal-type schemes have variants giving message recovery. For each of the six basic ElGamal-type signature equations five variants are presented with different properties regarding message recovery, length of commitment and strong equivalence. Moreover, the six basic signature schemes have different properties regarding security and implementation. It turns out that the scheme proposed in  is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In general, message recovery variants can be given for ElGamal-type signature schemes over any group with large cyclic subgroup as the multiplicative group of GF(2 n ) or elliptic curve over a finite field.
The present paper also shows how to integrate the DLP-based message recovery schemes with secret session key establishment and ElGamal encryption. In particular, it is shown that with DLP-based schemes the same functionality as with RSA can be obtained. However, the schemes are not as elegant as RSA in the sense that the signature (verification) function cannot at the same time be used as the decipherment (encipherment) function.
Unable to display preview. Download preview PDF.
- 1.G. B. Agnew, B. C. Mullin and S. A. Vanstone, Improved digital signature scheme based on discrete exponentation, Electronics Letters, Vol. 26, No. 14 (1990) pp. 1024–1025.Google Scholar
- 2.B. Arazi, Integrating a key distribution procedure into the digital signature standard, Electronics Letters, Vol. 29, No. 11 (1993) pp. 966–967.Google Scholar
- 3.C. Boyd, Comment: New digital signature scheme based on discrete logarithm, Electronics Letters, Vol. 30, No. 6 (1994) p. 480.Google Scholar
- 4.W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, Vol. IT-22, No. 6 (1976) pp. 644–654.Google Scholar
- 5.T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, Vol. IT-31, No. 4 (1985) pp. 469–472.Google Scholar
- 6.FIPS PUB XX, Digital Signature Standard (1993).Google Scholar
- 7.C. G. Günther, Diffie-Hellman and ElGamal Protocols with One Single Authentication Key, Advances in Cryptology—Eurocrypt '89, Lecture Notes in Computer Science, Springer-Verlag, 434 (1990).Google Scholar
- 8.P. Horster and H. Petersen, Verallgemeinerte ElGamal-Signaturen, Proceedings der Fachtagung SIS '94 Verlag der Fachvereine, Zurich (1994).Google Scholar
- 9.P. Horster, M. Michels and H. Petersen, Authenticated encryption schemes with low communication costs, Electronics Letters, Vol. 30, No. 15 (1994).Google Scholar
- 10.ISO/IEC 9796, Information technology—Security techniques—Digital signature scheme giving message recovery.Google Scholar
- 11.N. Koblitz, A course in number theory and cryptography, Graduate Texts in Mathematics, Springer-Verlag (1988).Google Scholar
- 12.V. Miller, Use of elliptic curves in cryptography, Advances in Cryptography—Proceedings of Crypto '85, Lecture Notes in Computer Science, Springer-Verlag, 218 (1986) pp. 417–426.Google Scholar
- 13.K. Nyberg and R. A. Rueppel, A new signature scheme based on the DSA giving message recovery, 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia (Nov. 3–5, 1993).Google Scholar
- 14.K. Nyberg and R. A. Rueppel, Weaknesses in some recent key agreement protocols, Electronics Letters, Vol. 30, No. 1 (1994) pp. 26–27.Google Scholar
- 15.K. Nyberg, Comment: New digital signature scheme based on discrete logarithm, Electronics Letters, Vol. 30, No. 6 (1994) p. 481.Google Scholar
- 16.J. -M. Piveteau, New signature scheme with message recovery, Electronics Letters, Vol. 29, No. 25 (1993) p. 2185.Google Scholar
- 17.C. P. Schnorr, Letter: Reply to the request of NIST for comments on the DSA (Oct. 30, 1991).Google Scholar
- 18.C. P. Schnorr, Efficient Signature Generation by Smart Cards, J. Cryptology, Vol. 4 (1991) pp. 161–174.Google Scholar
- 19.S.-M. Yen and C.-S. Laih, New digital signature scheme based on discrete logarithm, Electronics Letters, Vol. 29, No. 12 (1993) pp. 1120–1121.Google Scholar