Message recovery for signature schemes based on the discrete logarithm problem

  • Kaisa Nyberg
  • Rainer A. Rueppel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 950)


The new signature scheme presented by the authors in [9] is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal type schemes have variants giving message recovery and achieve five new signature schemes giving message recovery. These schemes have different properties as to implementation and security. It turns out that the scheme proposed in [9] is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In [9] two applications of message recovery were proposed. In the present paper it is shown how to combine ElGamal encryption and the message recovery scheme of [9] and how to securely integrate the DSA into Diffie-Hellman key exchange.


Hash Function Signature Scheme Signature Equation Discrete Logarithm Problem Electronics Letter 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    G. B. Agnew, B. C. Mullin and S. A. Vanstone, Improved Digital Signature Scheme Based on Discrete Exponentiation, Electronics Letters 26 (14), 1990, pp. 1024–1025Google Scholar
  2. 2.
    B. Arazi, Integrating a Key Distribution Procedure into the Digital Signature Standard, Electronics Letters 29 (11), 1993, pp. 966–967.Google Scholar
  3. 3.
    C. Boyd, Comment: New Digital Signature Scheme Based on Discrete Logarithm, Electronics Letters, 30 (6), March 1994, p. 480.CrossRefGoogle Scholar
  4. 4.
    W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Trans. Inform. Theory, IT-22(6), November 1976, pp. 644–654.CrossRefMathSciNetGoogle Scholar
  5. 5.
    T. ElGamal, A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, IEEE Trans. Inform. Theory, IT-31(4), July 1985, pp. 469–472.CrossRefMathSciNetGoogle Scholar
  6. 6.
    FIPS PUB XX, 1993 February 1, Digital Signature Standard. 434Google Scholar
  7. 7.
    P. Horster and H. Petersen, Verallgemeinerte ElGamal-Signaturen, Proceedings der Fachtagung SIS'94, Verlag der Fachvereine, Zürich 1994.Google Scholar
  8. 8.
    ISO/IEC 9796, Information technology-Security techniques-Digital signature scheme giving message recovery.Google Scholar
  9. 9.
    K. Nyberg and R. A. Rueppel, A New Signature Scheme Based on the DSA Giving Message Recovery, 1st ACM Conference on Computer and Communications Security, Nov 3–5, 1993, Fairfax, VirginiaGoogle Scholar
  10. 10.
    K. Nyberg and R. A. Rueppel, Weaknesses in Some Recent Key Agreement Protocols, Electronics Letters, 30 (1), January 1994, pp. 26–27.CrossRefGoogle Scholar
  11. 11.
    K. Nyberg, Comment: New Digital Signature Scheme Based on Discrete Logarithm, Electronics Letters, 30 (6), March 1994, p. 481.CrossRefGoogle Scholar
  12. 12.
    J.-M. Piveteau, New signature scheme with message recovery, Electronics Letters, 29 (25), December 1993, p. 2185.Google Scholar
  13. 13.
    C. P. Schnorr, Efficient Signature Generation by Smart Cards, J. Cryptology, 4, 1991, pp. 161–174.zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    S.-M. Yen and C.-S. Laih, New Digital Signature Scheme Based on Discrete Logarithm, Electronics Letters, 29 (12), 1993, pp. 1120–1121Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  • Kaisa Nyberg
    • 1
  • Rainer A. Rueppel
    • 2
  1. 1.ViennaAustria
  2. 2.R3 Security Engineering AGSwitzerland

Personalised recommendations