CA2588149A1 - A digital signature scheme based on the divisional algorithm and the discrete logarithm problem - Google Patents
A digital signature scheme based on the divisional algorithm and the discrete logarithm problem Download PDFInfo
- Publication number
- CA2588149A1 CA2588149A1 CA 2588149 CA2588149A CA2588149A1 CA 2588149 A1 CA2588149 A1 CA 2588149A1 CA 2588149 CA2588149 CA 2588149 CA 2588149 A CA2588149 A CA 2588149A CA 2588149 A1 CA2588149 A1 CA 2588149A1
- Authority
- CA
- Canada
- Prior art keywords
- digital signature
- algorithm
- int
- creating
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Abstract
A digital signature algorithm, based on difficulty of computing the discrete logarithm problem, is different from ELGamal and the DSA scheme. The digital signature algorithm can be naturally and easily combined with a new scheme of Message Authentication Coding with transformations. Thus, in this framework, one can easily implement both a Message Authentication Coding system (with transformations that allow generating a MAC value with sufficiently improved characteristics of security) and the proposed digital signatures scheme without any additional programming tools.
Description
A DIGITAL SIGNATURE SCHEME BASED ON THE DIVISION ALGORITHM
AND THE DISCRETE LOGARITHM PROBLEM.
This application claims the benefit of priority of Canadian Patent Application No. CA
AND THE DISCRETE LOGARITHM PROBLEM.
This application claims the benefit of priority of Canadian Patent Application No. CA
2,545,975 filed May 9, 2006, which is incorporated herein by reference.
1. INTRODUCTION
Digital Signature is a method of authenticating digital information. The output of a digital signature algorithm is a binary string (or a pair of strings) that provides authenticity, integrity and non-repudiation of the transmitted message.
Digital signature algorithms are based on public key cryptography (A. J.
Menezes, P. C.
van Oorschot, S. A. Vanstone, Handbook of Applied Cryptography. CRC Press, 1997) and consist of two parts - a signing algorithm and a verification algorithm.
Digital signature algorithms, such as Lamport Signatures, Matyas-Meyer Signatures, RSA Signatures, ElGamal Signatures and others, are well-known and widely-used in practice (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003).
The National Institute of Standards and Technology (NIST) has published the Federal Information Processing Standard FIPS PUB 186, also known as Digital Signature Standard (DSS). The DSS uses SHA as hashing algorithm and the Digital Signature Algorithm (DSA). The DSA is based on the difficulty of computing the discrete logarithm problem and is based on schemes presented by ELGamal and Shnorr (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003).
We present a digital signature algorithm, which is also based on difficulty of computing the discrete logarithm problem (I. F. Blake, G. Seroussi, N. Smart, Elliptic Curves in Cryptography, LMS Lecture Notes 265, Cambridge University Press, Cambridge, 2000), but is different from ELGamal and the DSA scheme.
The main advantages of the presented digital signature algorithm is the fact that it can be naturally and easily combined with the new scheme of Message Authentication Coding with transformations proposed by the authors (Canadian Patent Application No.
CA
2,552,085; U.S. Patent Application Serial No. 11/457,669). Thus, in this framework, one can easily implement both a Message Authentication Coding system (with transformations that allow generating a MAC value with sufficiently improved characteristics of security) and the proposed digital signatures scheme without any additional programming tools.
2. A DIGITAL SIGNATURE SCHEME
We will first consider some background information (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003). A
digital signature scheme is a collection of two algorithms: the signing algorithm and the verification algorithm.
The signing algorithm SG:I'=O-> S
assigns a signature s to a pair d, m, where d E F is a secret key and m E A is a message, that is, SG(d, m) = s.
The verification algorithm VER:I"=A =S --> {t,f}
using the public key e E F' of the signer, the message m E A and checks whether the pair ( e, m) matches the signature s. If there is a match, the algorithm returns t-TRUE.
Otherwise, it generates f - FALSE.
2.1. ELGamal Digital Signature Scheme. As an example of a digital signature, consider the ElGamal algorithm variants of which are in actual use (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003).
A sender (Sally) considers a finite field GF( p) , in which the discrete logarithm problem is difficult. Then, she selects a primitive element g c- GF(p) * and a random integer k in the interval [1, p - 1]. This allows one to compute the public key gk mod p.
Then, Sally sends gk, g and p to the public registry.
The Signing algorithm:
For a message m E GF(p) , Sally selects a random integer r E [1,p -1], such that gcd(r, p - 1) =1, and calculates xgYmodp.
Then, she solves the following congruence mk=x+r=ymodp for y.
The signature is s=SGk(m)=(x,y).
Sally keeps secret k and r.
The Verification algorithm:
A receiver (Bob) receives the message m and s=(x, y) . He then checks whether VER(m, s ) = (g ' (gk )X = x'' mod p).
1. INTRODUCTION
Digital Signature is a method of authenticating digital information. The output of a digital signature algorithm is a binary string (or a pair of strings) that provides authenticity, integrity and non-repudiation of the transmitted message.
Digital signature algorithms are based on public key cryptography (A. J.
Menezes, P. C.
van Oorschot, S. A. Vanstone, Handbook of Applied Cryptography. CRC Press, 1997) and consist of two parts - a signing algorithm and a verification algorithm.
Digital signature algorithms, such as Lamport Signatures, Matyas-Meyer Signatures, RSA Signatures, ElGamal Signatures and others, are well-known and widely-used in practice (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003).
The National Institute of Standards and Technology (NIST) has published the Federal Information Processing Standard FIPS PUB 186, also known as Digital Signature Standard (DSS). The DSS uses SHA as hashing algorithm and the Digital Signature Algorithm (DSA). The DSA is based on the difficulty of computing the discrete logarithm problem and is based on schemes presented by ELGamal and Shnorr (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003).
We present a digital signature algorithm, which is also based on difficulty of computing the discrete logarithm problem (I. F. Blake, G. Seroussi, N. Smart, Elliptic Curves in Cryptography, LMS Lecture Notes 265, Cambridge University Press, Cambridge, 2000), but is different from ELGamal and the DSA scheme.
The main advantages of the presented digital signature algorithm is the fact that it can be naturally and easily combined with the new scheme of Message Authentication Coding with transformations proposed by the authors (Canadian Patent Application No.
CA
2,552,085; U.S. Patent Application Serial No. 11/457,669). Thus, in this framework, one can easily implement both a Message Authentication Coding system (with transformations that allow generating a MAC value with sufficiently improved characteristics of security) and the proposed digital signatures scheme without any additional programming tools.
2. A DIGITAL SIGNATURE SCHEME
We will first consider some background information (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003). A
digital signature scheme is a collection of two algorithms: the signing algorithm and the verification algorithm.
The signing algorithm SG:I'=O-> S
assigns a signature s to a pair d, m, where d E F is a secret key and m E A is a message, that is, SG(d, m) = s.
The verification algorithm VER:I"=A =S --> {t,f}
using the public key e E F' of the signer, the message m E A and checks whether the pair ( e, m) matches the signature s. If there is a match, the algorithm returns t-TRUE.
Otherwise, it generates f - FALSE.
2.1. ELGamal Digital Signature Scheme. As an example of a digital signature, consider the ElGamal algorithm variants of which are in actual use (Josef Pieprzyk, Thomas Hardjono, Jennifer Sebbery, Fundamentals of Computer Security, Springer-Verlag, 2003).
A sender (Sally) considers a finite field GF( p) , in which the discrete logarithm problem is difficult. Then, she selects a primitive element g c- GF(p) * and a random integer k in the interval [1, p - 1]. This allows one to compute the public key gk mod p.
Then, Sally sends gk, g and p to the public registry.
The Signing algorithm:
For a message m E GF(p) , Sally selects a random integer r E [1,p -1], such that gcd(r, p - 1) =1, and calculates xgYmodp.
Then, she solves the following congruence mk=x+r=ymodp for y.
The signature is s=SGk(m)=(x,y).
Sally keeps secret k and r.
The Verification algorithm:
A receiver (Bob) receives the message m and s=(x, y) . He then checks whether VER(m, s ) = (g ' (gk )X = x'' mod p).
3. THE PROPOSED DIGITAL SIGNATURE SCHEME
Now, we want to present a digital signature scheme that naturally arises and can be effectively combined with a MAC (or Hash) function with transformation, considered earlier by the authors (Canadian Patent Application No. CA 2,552,085; U.S.
Patent Application Serial No. 11/457,669).
We remark that when we consider a message x in a digital signature, we deal with the hash or MAC value of the original message.
The Signing Procedure. We begin with a cyclic group G of prime order of size 2'. We also fix a generator g of G. A sender chooses a private key K, say of k bits.
Then, the sender computes the public key g'"(). Given a message i~f, it is hashed or MAC-ed to ni. We assume that iri has h bits where (1) lz k and (2) tna~d~h, ~:; - h) : ec Then a random sessional number :# 0 is generated, which is kept secret. The number of bits of z is at most h. Then, using the division algorithm, the sender calculates a unique pair of integers q and r such that (3) t-nt(K) = (t;nt(tri) + z)q + :r.
Here, tnt(K) and irat(rn) are integers, the binary presentation of which are the sequences of bits K and ni, correspondingly.
The digital signature is the pair (x, y) where :A = (,-zq-r) and gq.
If, by coincidence, zq + r is 0 it is necessary to choose another z and recalculate the pair q and r in accordance with (3).
The Verification Procedure. A receiver obtains a message M and a digital signature in the form of a pair Besides, a receiver knows the public key as well as the group G and the generator g.
The message M is hashed (or MAC-ed with the corresponding key) to rx1', and the following two expressions are calculated (4) X9mr.io ~,.nu(~~) If they are equal, then the signature is valid. If they are not equal, the signature is not valid and the message may be rejected.
The next theorem shows that the proposed scheme and the evaluation procedure are correct.
Theorem 1. If AI and M are two messages for which the hash -Yn and -"rzare distinct, then the two quantities in (4) are unequal.
Proof. If the two quantities are equal then riint(rn) , qint(m') (mod I G 1).
Note that the converse also holds. From (3), we have q -. 2k -h and by (1) and (2), this is strictly smaller than ( G (. As I Ci, I is prime, ( IG 1, q) _1, and so the above congruence implies that (5) an t(m) - t:nt(rri) (mod I G ~).
Again from (1) and (2), we have tnt(m), int'(rta) <:. 2 ~ < 2- < IG ( .
Thus, the congruence (5) implies that m and m are equal, contradicting our assumption.
4. IMPLEMENTATION
As one example, the method of the present invention can be readily implemented in a Dynamically Linked Library (or DLL), which is linked to a computer program that utilizes an algorithm that embodies the digital signature algorithm described above, for example, an encryption, decryption or authentication utility that is operable to apply said algorithm.
The computer program of the present invention is, therefore, best understood as a computer program that includes computer instructions operable to implement an operation consisting of the calculation of the digital signature string (pair of strings) as described above.
Another aspect of the present invention is a computer system that is linked to a computer program that is operable to implement, on the computer system, the digital signature algorithm in accordance with the present invention, together with the System of Transformation of a MAC-value (Canadian Patent Application No. CA 2,552,085;
U.S.
Patent Application Serial No. 11/457,669). This invention will be of use in any environment where MAC functions are used for data integrity together with digital signatures.
As another example, the method of the present invention can be readily implemented in a specially constructed hardware device. As discussed above, an integrated circuit can be created to perform the calculations necessary to create a digital signatures string. Other computer hardware can perform the same function. Alternatively, computer software can be created to program existing computer hardware to create digital signature values.
Now, we want to present a digital signature scheme that naturally arises and can be effectively combined with a MAC (or Hash) function with transformation, considered earlier by the authors (Canadian Patent Application No. CA 2,552,085; U.S.
Patent Application Serial No. 11/457,669).
We remark that when we consider a message x in a digital signature, we deal with the hash or MAC value of the original message.
The Signing Procedure. We begin with a cyclic group G of prime order of size 2'. We also fix a generator g of G. A sender chooses a private key K, say of k bits.
Then, the sender computes the public key g'"(). Given a message i~f, it is hashed or MAC-ed to ni. We assume that iri has h bits where (1) lz k and (2) tna~d~h, ~:; - h) : ec Then a random sessional number :# 0 is generated, which is kept secret. The number of bits of z is at most h. Then, using the division algorithm, the sender calculates a unique pair of integers q and r such that (3) t-nt(K) = (t;nt(tri) + z)q + :r.
Here, tnt(K) and irat(rn) are integers, the binary presentation of which are the sequences of bits K and ni, correspondingly.
The digital signature is the pair (x, y) where :A = (,-zq-r) and gq.
If, by coincidence, zq + r is 0 it is necessary to choose another z and recalculate the pair q and r in accordance with (3).
The Verification Procedure. A receiver obtains a message M and a digital signature in the form of a pair Besides, a receiver knows the public key as well as the group G and the generator g.
The message M is hashed (or MAC-ed with the corresponding key) to rx1', and the following two expressions are calculated (4) X9mr.io ~,.nu(~~) If they are equal, then the signature is valid. If they are not equal, the signature is not valid and the message may be rejected.
The next theorem shows that the proposed scheme and the evaluation procedure are correct.
Theorem 1. If AI and M are two messages for which the hash -Yn and -"rzare distinct, then the two quantities in (4) are unequal.
Proof. If the two quantities are equal then riint(rn) , qint(m') (mod I G 1).
Note that the converse also holds. From (3), we have q -. 2k -h and by (1) and (2), this is strictly smaller than ( G (. As I Ci, I is prime, ( IG 1, q) _1, and so the above congruence implies that (5) an t(m) - t:nt(rri) (mod I G ~).
Again from (1) and (2), we have tnt(m), int'(rta) <:. 2 ~ < 2- < IG ( .
Thus, the congruence (5) implies that m and m are equal, contradicting our assumption.
4. IMPLEMENTATION
As one example, the method of the present invention can be readily implemented in a Dynamically Linked Library (or DLL), which is linked to a computer program that utilizes an algorithm that embodies the digital signature algorithm described above, for example, an encryption, decryption or authentication utility that is operable to apply said algorithm.
The computer program of the present invention is, therefore, best understood as a computer program that includes computer instructions operable to implement an operation consisting of the calculation of the digital signature string (pair of strings) as described above.
Another aspect of the present invention is a computer system that is linked to a computer program that is operable to implement, on the computer system, the digital signature algorithm in accordance with the present invention, together with the System of Transformation of a MAC-value (Canadian Patent Application No. CA 2,552,085;
U.S.
Patent Application Serial No. 11/457,669). This invention will be of use in any environment where MAC functions are used for data integrity together with digital signatures.
As another example, the method of the present invention can be readily implemented in a specially constructed hardware device. As discussed above, an integrated circuit can be created to perform the calculations necessary to create a digital signatures string. Other computer hardware can perform the same function. Alternatively, computer software can be created to program existing computer hardware to create digital signature values.
Claims (8)
1. A method of creating a secure digital signature comprising the following steps:
(a) a sender, based on a private key K and message x, calculates a unique pair of integers q and r such that int(K) = int(h)q + r, then chooses a cyclic group G with generator g, for which the discrete logarithm problem is a hard problem and computes the public key g int(K) and calculates a pair (g q, g r) , which is the digital signature of x, (b) a receiver, who knows a public key g net(K) , obtains a message y and a digital signature in a form of pair (g q,g r) and calculates the following two expressions g int(K)(g r)-1 and (g q)int(y), (c) the algorithm generates "TRUE", if the two expressions match, and "FALSE", if they do not.
(a) a sender, based on a private key K and message x, calculates a unique pair of integers q and r such that int(K) = int(h)q + r, then chooses a cyclic group G with generator g, for which the discrete logarithm problem is a hard problem and computes the public key g int(K) and calculates a pair (g q, g r) , which is the digital signature of x, (b) a receiver, who knows a public key g net(K) , obtains a message y and a digital signature in a form of pair (g q,g r) and calculates the following two expressions g int(K)(g r)-1 and (g q)int(y), (c) the algorithm generates "TRUE", if the two expressions match, and "FALSE", if they do not.
2. A method of creating a secure digital signature as set out in claim 1, characterized in that private key K is about two times bigger (within a range of plus or minus 25%) (as a string) than message x.
3. A method of creating a secure digital signature as set out in claim 1, wherein the method is implemented in a Dynamically Linked Library (DLL), which is linked to a computer program that utilizes an algorithm that embodies the digital signature algorithm.
4. A method of creating a secure digital signature as set out in claim 3, characterized in that the computer program includes computer instructions operable to implement an operation consisting of the calculation of the digital signature.
5. A method of creating a secure digital signature as set out in any one of claims 3 or 4, characterized in that the computer program is an encryption, decryption or authentication utility.
6. A computer system comprising software that is operable to implement on a computer system the digital signature algorithm of any one of claims 1 to 5 together with a system of transformation of a MAC-value.
7. An integrated circuit adapted to perform the calculations necessary to create the digital signature pair of any one of claims 1 to 5.
8. A computer system comprising software to program existing computer hardware to calculate the digital signature of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2588149 CA2588149A1 (en) | 2006-05-09 | 2007-05-09 | A digital signature scheme based on the divisional algorithm and the discrete logarithm problem |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002545975A CA2545975A1 (en) | 2006-05-09 | 2006-05-09 | A digital signature scheme based on the division algorithm and the discrete logarithm problem |
| CACA2,545,975 | 2006-05-09 | ||
| CA 2588149 CA2588149A1 (en) | 2006-05-09 | 2007-05-09 | A digital signature scheme based on the divisional algorithm and the discrete logarithm problem |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2588149A1 true CA2588149A1 (en) | 2007-11-09 |
Family
ID=38663510
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2588149 Abandoned CA2588149A1 (en) | 2006-05-09 | 2007-05-09 | A digital signature scheme based on the divisional algorithm and the discrete logarithm problem |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2588149A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714910B (en) * | 2009-11-20 | 2012-10-24 | 西安电子科技大学 | Anti-pollution network encoding method based on probability detection |
-
2007
- 2007-05-09 CA CA 2588149 patent/CA2588149A1/en not_active Abandoned
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714910B (en) * | 2009-11-20 | 2012-10-24 | 西安电子科技大学 | Anti-pollution network encoding method based on probability detection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7877610B2 (en) | Hybrid signature scheme | |
| CA2806357C (en) | Authenticated encryption for digital signatures with message recovery | |
| US6446207B1 (en) | Verification protocol | |
| CA2235359C (en) | Implicit certificate scheme with ca chaining | |
| CA2808701C (en) | Authenticated encryption for digital signatures with message recovery | |
| Shoup | Why chosen ciphertext security matters | |
| US6898284B2 (en) | Cryptographic identification and digital signature method using efficient elliptic curve | |
| CA2591280A1 (en) | A new digital signature scheme | |
| US20080072055A1 (en) | Digital signature scheme based on the division algorithm and the discrete logarithm problem | |
| JP3854226B2 (en) | Method and apparatus for key pair determination and RSA key generation | |
| KR100396740B1 (en) | Provably secure public key encryption scheme based on computational diffie-hellman assumption | |
| CA2588149A1 (en) | A digital signature scheme based on the divisional algorithm and the discrete logarithm problem | |
| JP2004246350A (en) | Enciphering device, deciphering device, enciphering system equipped with the same, enciphering method, and deciphering method | |
| US9252941B2 (en) | Enhanced digital signatures algorithm method and system utilitzing a secret generator | |
| KR100323799B1 (en) | Method for the provably secure elliptic curve public key cryptosystem | |
| Sadkhan et al. | Analysis of Different Types of Digital Signature | |
| Buenasmañanas Domínguez et al. | Digital identity-based multisignature scheme implementation | |
| Glushachenko | Public key cryptosystems and their application in digital signature algorithms | |
| Kbar et al. | Modified RSA Using Triple Keys Based Encryption/Decryption | |
| WO1998047260A2 (en) | Publicly verifiable key recovery | |
| Rizomiliotis | Cryptography Lecture 1 | |
| Sheela et al. | InKeSi-Increased Key Size Method in SRNN Public Key Cryptography Algorithm | |
| Kommera et al. | A Closer look at RSA and ECC | |
| Al-Absi et al. | Cryptography Survey of DSS and DSA Algorithms | |
| Wiener | CryptoBytes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |