Signature chemes based on factoring and discrete logarithm:

Abstract: The papc signature schemes, on the difficultil logarithms and fa which is similar to

Z.Shao i

r proposes two new digital he security of which is based s of computing discrete toring, the performance of hose of the original ElGamal

Indexing terms: Cryptogruphy,i Digital signature scheme, Discrete logarithm, Factoring

signature scheme and The paper also and shows that the than the original the Harn signature

the Harn signature scheme. coihsiders some possible attacks,

two schemes are more secure ElGamal signature scheme and

scheme.

1 Introduction

In 1976 Diffie and public-key cryptograpiy key cryptosystems such as the factorisation rithm problem, have tographic assumptions corresponding However, it is very assumptions would solve. Thus several their security on solving taneously so as to performance of these those of the original disadvantages are: (1) large; (2) more moddar (3) every user would

This paper presents on two different cryp the security in a maintaining similar e original ElGamal signature scheme.

This paper shows vulnerable to substitition one-way hash function; propose can resist tion problem is unsolvable. 0 IEE, 1998

Paper first received 27th Mzy The author is with Hangchou Industrial & Commercial People's Republic of China

IEE Proceedings online no

Hellman invented the concept of [l]. Since then, several public-

bssed on just one hard problem, problem or the discrete loga-

teen proposed [2, 31. If these cryp- become easy to solve, the

cryptociystems will no longer be secure. unlikely that multiple cryptographic

simultaneously become easy to cyptographic systems try to base

multiple hard problems simul- enl~ance security [4-71. However, the

cryptosystems is not better than ElGamal scheme and RSA. The

the size of public key becomes exponentiations are required;

iise his own public modulus. two new signature schemes based :agraphic assumptions to enhance

significantly different fashion, while 'ficiency of implementation to the

signature scheme and the Harn

that the Harn signature scheme is attack if it does not use a

while the signature schemes we si.bstitution attack if the factorisa-

9981113 and in revised form 13th October 1997

Institute of Financial Managers, The Elank of China, Hangzhou, Zhejiang 310023,

2 Digital signature schemes

2. I Scheme generation Let p be a large prime p = 4plql + 1, where p1 = 2p2 + 1, q1 = 2qz i- 1, and pl, p2, ql, q2 are all large primes. These parameters are selected by a trusted key centre and will never be used by any user, and thus can be discarded once p is produced. The two factors p l , q1 must be kept secret from any user.

The key centre selects an element g, of order p l q l , i.e. gplql = 1 (mod P ) and gp, f 1 (mod PI, gq1 f 1 (mod PI.

Any user A has a secret key x (1 < x < p1q1/2), and a public key y = gx2+x-2 (mod p) .

2.2 Signature scheme I The digital signature of a message m is (k, r, s) such that

(modp) (1) y(s2+r2 ) = p 2 + k 2 . g4("k-s')

and k is odd.

(I) Randomly chooses an integer t, 1 < t < p1q1/2. (11) Computes

To sign a message m, the user A does the following:

r = g"2it-2(mod p ) (2) (111) Finds s, k such that

zs + z- l r = mt + kt-'(mod p l q l )

z-'s + zr = mt-l + kt(mod p ~ q l )

(3)

(4) with k odd; i.e. solves a system of linear equations

1 zs - kt - l = mt - z- r(mod p l q l )

z-ls - kt = mt-' - zr(mod p l q l ) If k is even, then chooses a new value (e.g. replacing t by -t, or t-', -t-') and repeats until k is odd. (IV) Sends sig(m) = (k, r , s) as the signature. Theorem 1. If the signer follows the above protocol, the recipient always accepts the signature. ProoJ From eqns. 3 and 4, taking squares

z2s2 + 2sr + x-2r.2

2-2s2 + 2sr + x2r2

= m2t2 + 2mk + k2td2(mod p l q l )

= m2t-2 + 2mk + k2t2(mod p l q l ) Taking sums

(z2 + x v 2 ) (s2 + r 2 ) + 4sr = (t2 + tP2)(m2 + k 2 ) + 4mk(mOd p1q1)

IEE Proc.-Comput. Digit. Tec.b.. Vol. 145, No. 1, January 1998 33

(2 + 8) (s' + r 2 )

= (t2 4- tP2)(m2 + k') -t 4(mk - sr)(mod p l q l ) (5)

so ( 2 + . - 2 ) ( 2 + . 2 ) 9

or ( s2+r2) = ,,.m2fk2 4 ( m k - s r ) (mod p ) Y 9

2.3 Signature scheme 2 The digital signature of a message m is (k, r , s) such that

(modp) (6) ( s 2 + r 2 ) = T(m2(m2+P)) 4 ( m 3 k - s r ) Y 9 and k is odd.

(I) Randomly chooses an integer t , 1 < t < p1q1/2. (11) Computes

To sign a message m, the user A does the following:

7- = gtZ+t-2 (mod p )

(111) Finds s, k such that zs + z-lr = m2t + kmt-l(mod p l q l )

z-'s + ZT = m2tP1 + kmt(mod p l q l ) with k odd, i.e. solves a system of linear equations

zs - kmt-l = m2t - z-'r(rnod p l q l )

z-ls - kmt = m2t-l - xr(mod p l q l ) If k is even, then chooses a new value (e.g. replacing t by -t, or t-l -t-') and repeats until k is odd. (Iv) Sends sig(m) = (k, r , s) as the signature.

Note; If (m, k , r , s) satisfies eqn. 1 or eqn. 6, then (-m, -k, r , s) satisfies eqn. 1 or eqn. 6 also. However just one of k and -k is odd, since k + (-k mod p l q l ) = p l q l . If k is odd, then -k must be even.

3 Discussion

3. I Try to recover the secret keyx from the public key y = gX2+rz (mod p), or the session key t from r = g' +@ (mod p) Theorem 2. The problem of recovering x from the equation y = gx2+x-2 (mod p ) is polynomial equivalent to computing both the factorisation of plq l and the dis- crete logarithm of y = gu (mod p) . ProoJ: Assume that the attackers can compute both the factorisation of p lq l and the discrete logarithm of y = g" (modp). They can compute x2 + x - ~ = U (modplql) from y = gu (mod p) , then find x from this.

Conversely assume that the attackers can recover x from the equation y = gxz+r2 (mod p ) by applying some algorithm AL.

Let y = gu (mod p ) be any discrete logarithm prob- lem. Perhaps there does not exist an integer x such that x2 + x - ~ = U (mod p lq l ) . However, there must exist an integer x such that x2 + x - ~ = U + d (mod p l q l ) for some integer d. The attackers can find x from ygd = gx2+r2 (mod p ) by repeatedly applying the algorithm AL for d = 0, 1, 2, ... Hence U = x2 + x - ~ - d (mod P141).

34

Let x2 = w (mod plql) be any quadratic equation (this problem reduces to factoring plql). The attackers compute U = w + w-l = x2 + x - ~ (mod plql) and y = gu (mod p) . They can find x from the equation y = gx2+r2 (mod p ) by applying the algorithm AL. Corollary. The problem of recovering x from the equation y = gx2+d (mod p ) is polynomial equivalent to computing both the factorisation of plql and the discrete logarithm of y = g" (mod p ) , where d is given.

3.2 Try to forge the signature of a message m (I) The attackers first choose an integer r , then find k , s from eqn. 1 (or from eqn. 6). In eqn. 1, two terms ys2+r2 and g4(mk-sr) are relative to s, two terms rm2+k2 and g4(mk-sY) are relative to k. If ys2+v2 and r are given, the problem of recovering s is polynomial equivalent to computing both the factorisation of plql and the discrete logarithm of y = gu (mod p) . Hence this task is more difficult than solving the discrete logarithms and factoring simultaneously. (11) The attackers first choose two integers k, s, then find r from eqn. 1 (or from eqn. 6). This task is more difficult than solving the discrete logarithms and factoring simultaneously. In the Harn signature scheme, the attackers might forge a signature as follows: The attackers choose an integer s first, then compute s' = s3 mod p A - I , and finally compute the correspond- ing r from ccAm = rs'yAr mod p A . We believe that this task is an extremely difficult problem, and in all likeli- hood, is more difficult than the discrete logarithm problem itself. However, the attackers do not need to factor bA - 1)/2 = p'q'. The above attack can be avoided if H(m) is replaced by H(m, r) , or r is replaced by r' = rdA mod p A - 1, this would increase the complexity of the Harn signature scheme. (111) The attackers find k, r , s from eqn. 1 (or from eqn. 6) simultaneously. This task is also more difficult than solving the discrete logarithms and factoring simultaneously. (IV) The attackers try to find any solution s, k of eqns. 3 and 4, or try to find any solution of eqn. 5. However, it is impossible since x is unknown.

3.3 Substitution attack [8,7 Some digital signature schemes are vulnerable to substitution attack. This means that, given a valid signature of a known message, it is computationally feasible to generate a valid signature of another different message without knowledge of the private keys.

We can show that the Ham signature scheme is vulnerable to substitution attack if it does not use a one-way hash function, as the original ElGamal scheme.

The verification equation of the Harn scheme is

Yr (mod P ) g M = rs3(mod p-1)

The corresponding signature equation is

M = xr + ks3(mod p - 1) where Y = gk (mod p) .

IEE Proc -Comput Digit Tech, Vol 145, No 1, January 1998

proposed above.

In scheme 1

(1 -U') = O(modplq1)

plq l ) , implies k' = kk or k =

exists one trivial su

message.

ion attack m -+ k or m -+ -k.

In scheme 2

Hence

ql ) . Because k and plql are all odd, -k is even

Case 2. Assume tha ains invariant.

such that

We can show similar results for scheme 2 by the same reasoning. Case 3. Assume that k , r , s do not remain invariant.

In scheme 1, the signature equation is

(2 + .-2)(s2 + r2)

= (t2 + tP2)(m2 + k 2 ) + 4 ( m k - sr)(mod p l q l ) Let U be an integer; compute

'U = g"(mod p )

(z2 + 2-2)((sw)2 + = (t2 + t-"((m'U)2 + (k'U)2)

+ 4((m'U)(W - (s'U)(r'U))(mod P l Q ) Suppose that s' = sv (mod p lq l ) , r' = rv (mod p ) , then

r' g"+'2+u mo ( d p ) (x2 + .-2)((s.)2 +

= ( t 2 + t-2 + u)((mw)2 + (k?J)2)

+ 4((mv)(kv) - ( S V ) ( T ' U ) ) - u((m'U)2 + (kw)2) The last term - ~ ( ( m v ) ~ + ( k ~ ) ~ ) cannot be merged into other terms, if the attackers cannot find square roots modulo plql.

Conversely, they can find m' and k' such that mI2 + k'2 =

4m'k' = 4(mv)(kv) - ~ ( ( m w ) ~ + (kv)2)(mod p1q1)

Hence sig(m') = (k', r', s'). We can show similar results for scheme 2 by the

same reasoning. Therefore we have the following con- clusion:

The Harn signature scheme is vulnerable to substitu- tion attack if it does not use a one-way hash function, while the signature schemes we proposed can resist a substitution attack if the factorisation is unsolvable.

+ (kv)2(mod p l q l )

3.4 Homomorphism attack [91 He and Kiesler pointed out that for all ElGamal type signature schemes, if three session keys k, were used to generate rl (i = 1, 2, 3), and k3 = kl + k2, then r3 = r1r2, and this equation can be recognised by the attackers. From these relations they can easily obtain the private key x.

We think that this attack is only a special kind of homomorphism attack, because the multiplicative cyclic group modulo p is isomorphic to the additive cyclic group modulo p - 1. For the private key x and some session keys k,, each additive equation uz + u l k l + u2k2 + . . . + unkn = e(mod p - 1)

corresponds to a multiplicative equation yur;L1 r;Z . . . rEn = g e (mod p )

If U , u1, u2, ..., U, are large, it is equivalent to computing the discrete logarithm for the attackers to recognise such an equation. Conversely if U , ul, u2, ..., U , are small, more session keys are used, and there is more possibility of the attackers recognising such an equation.

Hence we think that the probability of homomor- phism attack is greater than He and Kiesler thought.

In the Harn signature scheme, if a homomorphism attack happens, the attackers can get the private key x. However, they cannot forge the signature of arbitrary message unless they are able to get cubic roots modulo p - 1.

35

In either of our proposed schemes, if a homomor- phism attack happens, the attackers cannot get the pri- vate key x, unless they are able to solve the equation

2’ + zP2 = v(mod p l q ~ ) This task is of similar difficulty to that of factoring plql. If so, they are able to forge the signature of an arbitrary message.

4 Performance

In our proposed signature schemes, one modular expo- nentiation is required for computing one signature, and two modular exponentiations are required for verifying one signature by applying the technique specified by the DSS algorithm. The computational time required for addition and multiplication can be ignored. This performance is very similar to the original ElGamal scheme, while two modular exponentiations are required for computing one signature in the Harn sig- nature scheme.

In our proposed signature schemes, one common public prime modulus p and one common element g are used by all users. This performance is the same as the original ElGamal scheme, while each user should have his own public module in the Harn signature scheme. This performance allows a practical system to be devel- oped much more easily.

Our proposed signature schemes can resist substitu- tion attack if the factorisation is unsolvable, while the Harn signature scheme is vulnerable to substitution attack if it does not use a one-way hash function.

Practically, the length of messages to be signed is longer than the length of plql . For a general purpose signature scheme, the signature scheme must use a one- way hash function to compress messages, otherwise the messages m and m’ would have the same signature as long as m = m’ (mod plq l ) . If the hash function is n = H(m, v), the verification equation would be

However the schemes we proposed are suitable on some special occasions. If the length of the messages with fixed format is stipulated by the protocol to be

not longer than that of p l q l , no one-way hash function is required.

In our proposed signature schemes, the only disad- vantage is that the message expansion is three, while those of the original ElGamal scheme and the Harn scheme are two.

5 Conclusion

We have proposed two new digital signature schemes, the security of which is equivalent to computing both the discrete logarithm and the factorisation problem. Some possible attacks are considered. We think that two schemes have a greater ability to resist substitution attack and homomorphism attack than the original ElGamal scheme and the Harn scheme, while maintain- ing similar efficiency of implementation.

The only disadvantage of the two new schemes is that the message expansion is three. This shortcoming results in an open problem: Can we design a digital sig- nature scheme, which offers the same security as we propose here and the same performance as the original ElGamal scheme?

6

1

2

3

4

5

6

7

8

9

References

DIFFIE, W., and HELLMAN, M.E.: ‘New directions in cryptog- raphy’, IEEE Trans., 1916, IT-% pp. 644-654 RIVEST. R.L.. SHAMIR. A.. and ADELMAN. L.: ‘A method for obtain digital signatures and public-key cryptosystem’, Com- mun. ACM, 1978, 21, (2), pp. 120-126 ELGAMAL, T.: ‘A public key cryptosystem and a signature scheme based on discrete logarithms’, IEEE Trans., 1985, TT--31, nn. 469412 I I

McCURLEY, K.S.: ‘A key distribution system equivalent to fac- toring’, J. Cryptol., 1988, 1, (2), pp. 95-105 BRICKELL, E.F., and McCURLEY, K.S.: ‘An interactive iden- tification scheme based on discrete logarithms and factoring’, J. Crvutol.. 1992. 5. (l), vv. 29-39 . ~ I . ~~

HXRN,’ L.: ‘Public-key cryptosystem design based on factoring and discrete logarithms’, IEE Proc. Comput. Digit. Tech., 1994,

LEE, N.Y., and HWANG, T.: ‘Modified Harn signature scheme based on factorising and discrete logarithms’, IEE Proc. Comput. Digit. Tech., 1996, 143, (3) , pp. 196-198 NYBERG, K.: ‘New digital signature scheme based on discrete logarithm (comment)’, Electron. Lett., 1994, 30, (6), pp. 481 HE, J., and KIESLER, T.: ‘Enhancing the security of original EIGamal’s signature scheme’, IEE Proc. Comput. Digit. Tech. I 1994, 141, (4), pp. 249-252

141, (3), pp. 193-195

36 IEE Proc.-Comput. Digit. Tech., Vol. I45, No. 1, January 1998