Advertisement

A message recovery signature scheme equivalent to DSA over elliptic curves

  • Atsuko Miyaji
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1163)

Abstract

The ElGamal signature([3]) is based on the difficulty of the discrete logarithm problem(DLP). For the ElGamal signature scheme, many variants like the NIST Digital Signature Algorithm(DSA)([10]) and a new signature with a message recovery feature([12]) are proposed. The message recovery feature has the advantage of small signed message length, which is effective especially in applications like identity-based public key system([4]) and the key exchange protocol([2]). However, its security is not widely accepted because it has been only a few years since the scheme was proposed. Even the relative security between the new message recovery scheme and already-existing schemes is scarcely known. In this paper, we make a strict definition of the conception of equivalent classes([14]) between signature schemes. According to this definition, we discuss the security relation between signature schemes. The reason why the Bleichenbacher-attack([1]) works for ElGamal but not for DSA can be also explained well by the conception. We show that an elliptic curve gives the message recovery signature equivalent to DSA. Furthermore we investigate the new attack over elliptic curves and present its new trapdoor generating algorithm. We also show that the trapdoor does not exist in the particular kind of elliptic curves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    D. Bleichenbacher, “Generating ElGamal signatures without knowing the secret key” to appear in Advances in Cryptology-Proceedings of EUROCRYPT'96.Google Scholar
  2. 2.
    W. Diffie and M. Hellman, “New directions in cryptography” IEEE Trans. Inform. Theory, Vol. IT-22 (1976), 644–654.CrossRefGoogle Scholar
  3. 3.
    T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Trans. Inform. Theory, Vol. IT-31 (1985), 469–472.CrossRefGoogle Scholar
  4. 4.
    C. G. Günther, “An identity-based key-exchange protocol”, Advances in Cryptology-Proceedings of Eurocrypt'89, Lecture Notes in Computer Science, 434(1990), Springer-Verlag, 29–37.Google Scholar
  5. 5.
    G. Harper, A. Menezes and S. Vanstone, “Public-key cryptosystems with very small key lengths”, Advances in Cryptology-Proceedings of Eurocrypt '92, Lecture Notes in Computer Science, 658(1993), Springer-Verlag, 163–173.Google Scholar
  6. 6.
    N. Koblitz, “Elliptic curve cryptosystems”, Mathematics of Computation, 48(1987), 203–209.Google Scholar
  7. 7.
    V. S. Miller, “Use of elliptic curves in cryptography”, Advances in Cryptology-Proceedings of Crypto'85, Lecture Notes in Computer Science, 218(1986), Springer-Verlag, 417–426.Google Scholar
  8. 8.
    A. Miyaji, “On ordinary elliptic curves”, Advances in Cryptology-Proceedings of ASIACRYPT'91, Lecture Notes in Computer Science, 739(1993), Springer-Verlag, 460–469.Google Scholar
  9. 9.
    A. Miyaji, “Elliptic curve over F p suitable for cryptosystems”, Advances in Cryptology-Proceedings of AUSCRYPT'92, Lecture Notes in Computer Science, 718(1993), Springer-Verlag, 479–491.Google Scholar
  10. 10.
    “Proposed federal information processing standard for digital signature standard (DSS)”, Federal Register, v. 56, n. 169, 30 Aug 1991, 42980–42982.Google Scholar
  11. 11.
    A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms to logarithms in a finite field”, Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, 80–89, 1991.Google Scholar
  12. 12.
    K. Nyberg and R. A. Rueppel, “A new signature scheme based on the DSA giving message recovery”, Proceedings of 1st ACM Conference on Computer and Communications Security, 1993.Google Scholar
  13. 13.
    K. Nyberg and R. A. Rueppel, “Message recovery for signature schemes based on the discrete logarithm problem”, Advances in Cryptology-Proceedings of Eurocrypt'94, Lecture Notes in Computer Science, 950(1995), Springer-Verlag, 182–193.Google Scholar
  14. 14.
    K. Nyberg and R. A. Rueppel, “Message recovery for signature schemes based on the discrete logarithm problem”, Designs Codes and Cryptography, 7(1996), 61–81.Google Scholar
  15. 15.
    R. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, Communications of the ACM, vol.21, No.2(1978), 120–126.CrossRefGoogle Scholar
  16. 16.
    K. Sakurai and H. Shizuya, “Relationships among the computational powers of breaking Discrete Log cryptosystems”, Advances in Cryptology-Proceedings of Eurocrypt'95, Lecture Notes in Computer Science, 921(1995), Springer-Verlag, 341–355.Google Scholar
  17. 17.
    C. P. Schnorr, “Efficient identification and signatures for smart cards”, Advances in cryptology-Proceedings of Crypto'89, Lecture Notes in Computer Science, 435(1989), Springer-Verlag, 239–252.Google Scholar
  18. 18.
    J. H. Silverman, The Arithmetic of Elliptic Curves, GTM106, Springer-Verlag, New York, 1986.Google Scholar
  19. 19.
    A. Shamir, R. Rivest and L. Adleman, “Mental Poker”, MIT/LCS, TM-125, (Feb. 1979).Google Scholar

Copyright information

© Springer-Verlag 1996

Authors and Affiliations

  • Atsuko Miyaji
    • 1
  1. 1.Multimedia Development CenterMatsushita Electric Industrial Co., LTD.Japan

Personalised recommendations