An Implicit Elgamal Digital Signature Scheme

Home , Digital signature, ElGamal signature scheme

JOURNAL OF SOFTWARE, VOL. 6, NO. 7, JULY 2011 1329

An Implicit ELGamal Digital Signature Scheme

Haipeng Chen College of Computer Science and Technology, Jilin University, Changchun, China Email: [email protected]

Xuanjing Shen and Yingda Lv College of Computer Science and Technology, Jilin University, Changchun, China Email: [email protected]; [email protected]

Abstract—This paper introduced a detail ElGamal digital the data of the implicit part of the signature. Signature signature scheme, and mainly analyzed the existing receiver can verify the signature of the implicit signature problems of the ElGamal digital signature scheme. Then to come to the verification of the real signature. As for improved the scheme according to the existing problems of the generalized ELGamal type signature scheme, Harn ElGamal digital signature scheme, and proposed an implicit and Xu pointed out that there are a total of 18 security ElGamal type digital signature scheme with the function of ELGamal type signature schemes [11]. Qi Ming and Xiao message recovery. As for the problem that message recovery Guozhen promoted the Chang-Liao password not being allowed by ElGamal signature scheme, this article authentication scheme based on generalized ELGamal approached a method to recover message. This method will type scheme in [12]. To make a signature scheme more make ElGamal signature scheme have the function of secure, this paper puts forward an improved scheme of message recovery. On this basis, against that part of signature was used on most attacks for ElGamal signature three implicit ElGamal type signature schemes. scheme, a new implicit signature scheme with the function of According to the different ways of hiding the signature, message recovery was formed, after having tried to hid the schemes are divided into three types: Ⅰ (a with s) part of signature message and refining forthcoming implicit type, Ⅱ (b with s) type, Ⅲ (c with s) type. The feature of type signature scheme. The safety of the refined scheme was the improved scheme is to conceal part of the original anlyzed, and its results indicated that the new scheme was signature s. So an attacker can not use part of signature s better than the old one. to substitute the usual attack and can increase the number Index Terms—ElGamal-type digital signature scheme; of unknowns (key x, k, s) in original signature equation, message recovery; implicit signature scheme; security while the forgers are not aware of these unknowns, and analysis thus prevent the reuse of k to exposure to key x. Signature receiver can verify the signature of the implicit I. INTRODUCTION signature to come to the verification of the real signature. ElGamal signature scheme is designed to use as a As the implicit signature scheme was improved; method signature, and its speed of encryption and decryption is of message recovery was given and it was applied to relatively slower than the symmetric algorithm, it is the ElGamal digital signature scheme, thus an implicit digital common problem of all practical public key algorithms at signature scheme with the function of message recovery present [1-3]. It is a non-deterministic two-key system. In was formed. The analyzed results show that: the security terms of the same plaintext message, due to different of the improved scheme has been improved significantly. parameters chosen randomly, it has different signatures. Most digital signature systems in the public did not have II. ELGAMAL DIGITAL SIGNATURE SCHEME the message recovery function. Signature scheme allowing message recovery has many advantages [4-7], A. General definition of digital signature scheme such as shorter signature for shorter message; meanwhile, [4] Generally speaking, a digital signature [13] mainly has it puts the message together with validation . Nyberg two algorithms. Signer can use a (secret) signing and Rueppel had improved the broad-based ELGamal algorithm to sign a message, leading to the signature by a mode [8-10], and a series of signature schemes had been public verification algorithm to verify. Verification received, which could verify the signature while algorithm makes an answer with "real" or "false" recovering the message. according to whether the signature is real when given a The implicit digital signature scheme conceals part of pair of signature. A digital signature scheme can be the signature from the other data in the signature, and described when meeting the following conditions (P, A, constitutes an implicit signature on the message by using K, S, V):

National Natural Science grant (No.60773098); (1) P is a finite set composed by all possible Scientific and Technological Development Foundation of Jilin messages; Province(No.20080317).

(2) A is a finite set composed by all possible Ver( x ,γδ , )=⇔ true γfx(,,)γδ ⋅ β gx (,,) γδ ⋅ α hx (,,) γδ ≡ 1(mod p )(mod q ) signatures ; (4) (3) K is a finite set composed by all possible f, g, h is a public function and (,,x γ δ ) is known keys, which is key space; public, so any one can verify the equation (3). (4) As for each kK∈ , there is a signature If the signature is constructed correctly, then the algorithm Sigk ()⋅∈ S and a corresponding validation will be successful, because verification algorithm Ver(,)⋅⋅ ∈ V . Each k γβαfx(,,)γδ⋅⋅ gx (,,) γδ hx (,,) γδ(modpq )(mod ) Sigk ()⋅∈ S and (5) =αααkf(,,)γδ x ag (,,) γδ x h (,,) γδ x (modpq )(mod )= 1 Verk (,)⋅⋅ ∈ V : P × A → { true , false } is a function which satisfies the following When f, g, h take a different function, different digital equation: as for each message x∈ P and signature scheme will be gotten, and we referred to this each signature yA∈ , there is type of scheme as the ElGamal digital signature scheme.

Verk (, x y )= true , If and only if In the above scheme, , and both are ySigx= k () Sigk ()⋅ Verk (,)⋅⋅ qpfx= , (,,)γ δδγδγγδ===− ,(,,) g x ,(,,) h x m (6) function of polynomial time. Ver (,)⋅ ⋅ is a k When taking the above-type, the scheme is the public function, while is a secret Sigk ()⋅ ElGamal digital signature scheme. At this point, the function. signature algorithm and verifying algorithms of the scheme change correspondingly: B. The description of the ElGamal type digital signature Sig( x , k )= (γδ , ), γ==−− αk mod p , δ ( x a γ ) k−1 mod p 1 (7) scheme based on discrete logarithm problem on * k Z p And Suppose p is a intractable prime on * the discrete Z p γ x * (8) Ver(,, xγδ )=⇔ true βγδ ≡ α (mod), p x γ ∈ Zpp , δ ∈ Z −1 logarithm problem[15-16], q is a large prime factor of p-1, or p=q, when qcryptanalysis , there are serious technical q p−1 defects.

Sigk (, x k )= (,γ δ ) (1) 2) For activities attacks and counterfeit attacks is fragile. If an attacker successfully replaces a Where γα= k modp (modq ) . legitimate user's public key by using private key that is randomly selected corresponding to public When q

5) Random prive key k can not be repeatedly used to K = {( p,α, x, y) y = α x mod p} sign different messages. Otherwise, an attacker can easily obtain the signer private key x. and a secret random number kt, ∈ Zp−1 , define: 6) He and Keisler point out that can forge signer sign any message. If three random key k, (i = Sigk (,) m k= (,,) r i v 1,2,3) satisfy the k3 = k1 + k2, then r, (i = 1,2,3) to meet the r3 = r1r2. Then the attacker can obtain Where r is calculated by the key x. This is similar to the homomorphism r = mα −k mod p (10) attack that is faced by RSA , the difference is, the homomorphism attack of RSA signature is only and assume used to forge signature , and can be overcome by ' using hash function .while the homomorphism gcd(ry , p −= 1) 1 (11) attack of the ELGamal digital signature scheme, Where “gcd” is greatest common factor. If the above has yet to find effective solutions by now. equation does not hold, we can fixe the k and choose 7) Subliminal channel problem. Closed threshold on another value of t to make it hold. the lower channel of ELGamal digital signature Then calculation of s is defined by the following scheme ,has not seen any study findings so far. equation:

According to the above analysis on ElGamal Digital −1 Signature Algorithm, due to the discrete logarithm skrxp= (1+− ) mod( 1) (12) problem has yet no possible solution has been worked out Among them yet, so the ElGamal type digital signature algorithm based on the question has high security keys. Before the sx − kr =1mod(p −1) (13) discrete logarithm problem is effectively resolved, any is signature equation. Then calculate: direct attack on the keys, the computational needs are staggering[17-18]. u = yt (modp ) (14) According to the signature and the verify equation, the And signer needs to complete a signature through a power operation and an inverse operation, and the verifier needs vtsu= +−mod p 1 (15) three power operations. Given that sign documents or information for the sign may be more, but the verifier is The message signature is (,ruv ,), for the different user; this conditions which the *** computational complexity of verifier is higher than the m∈∈∈ Zp ,, r Zpp u Z and v ∈ Z p−1 computational complexity of signers. Define:

III. THE IMPLICIT SIGNATURE SCHEME WITH MESSAGE vr−− u ur RECOVERY Ver(,) r s=⇔ TRUE y (rmupα ) = mod When validating and recovering messages, firstly, Setting p as a large prime number, which makes receiver calculates: calculating the discrete logarithm of p a hard problem. Moreover, p-1 contains large prime. Then select cyr= vr()(mod)α − u p (16) * randomly a element α ∈ Z p with an order for p-1. and then determine whether c satisfies the condition (17) * is a set of all possible messages. While P = Z p to verify signature. A =××ZZZ** is a set [21] of all possible signatures, p pp−1 cmu= ur (17) definition: Theorem 3.1: In the above signature scheme, we x Kpxyy=={(,,,)αα mod p} assume gcd(ryt , p − 1)= 1 is reasonable; namely, the t which can satisfy the equation exists, and the choice of t Where parameters p , y and α are known to every be completed in limited steps. user. Signer's private key x is element belonging to set * Prove: When t takes over each element of , ′ Z p−1 y Z p−1 , the corresponding public key generated by x is: takes over each element of Z * . Since there are φ(1)p − y = α x mod p (9) p * elements relatively prime with p-1 in Z p , then there are Sign a message m, which is an element on Z * .For p also φ(1)p − elements prime with p-1 in t , {ry t∈ Z p−1}

that is, t which satisfies gcd(ryt , p −= 1) 1 exists, and the Then: number is . φ(1)p − ()modcu−1 t = p As t is a random selection in to satisty the urt(mod p− 1) Z p−1 = mpmod t gcd(ry , p −= 1) 1, then we can know the expected setps = m in selecting such t, the expectation is pp−−1(1)φ . So: The proof has been completed. mcu= ()−1 t Theorem 3.2: when signing message m, if its signer −1 −−11u complied with the steps in the above mentioned scheme, =⋅⎡⎤yru−vr()α r mod p it can be verified that signature (,ruv ,) is true signature ⎣⎦ of the message. Thus, we recover the message m. Prove: From (16), we can get: The proof has been completed. cyr= vr()modα − u p Theorem 4.2: Message m is the number on the contrary of the constant term of the greatest common factor of tsu+− r kr u =⋅ym (αα ) mod p polynomial P(X ) = X r − cα −1 mod p and polynomial

= umαααxsu−− ur kru − u mod p X p − X , that is:

u = umpα (1)xs−− kr − ur mod Xm−=gcd( Xrp − cα −1 , X − X ) (21) Because xs − kr =1mod p −1 , then cum=⋅−ur mod p, where “gcd” is greatest common factor. that is to say signature (,ruv ,) is true signature of the Prove: there are three steps for the proof. message. 1) Message m is one root of polynomial: The proof has been completed. P(X ) = X r − cα −1 mod p .

IV. RECOVERY OF IMPLICIT SIGNATURE MESSAGE Because In (17) the value of message m is unknown, so, when cm=⋅α r (mod p ) verifying signatures we have to recover message m. Euclidean algorithm[22] for polynomial[7] is used to So recover message m. r −1 First, define polynomial m = cα (mod p)

r −1 that is PX()=− X cα mod p (18) mr − cα −1= 0(mod p) (22) Where, message m is one root of polynomial PX(). Because r and p-1 are co-prime, there is only one root for so message m is one root of polynomial PX(). polynomial Xcr − α −1 mod p on limited domain Z , p 2) There is only one root for polynomial and the root is m. r −1 P(X ) = X − cα mod p on Z p . Theorem 4.1: Recover message from signature (,ruv ,), and message m is given though following It can be divided into the following two cases for discussion: equation: −1 r −1 t a) When cα = 1 , that is X −1 = 0 . mcu= () (r, p−1) Equation X −1 = 0 can be derived −1 (19) −−11u p−1 =⋅⎡⎤yru−vr()α r mod p from X −1 = 0 . Because (r, p −1) = 1 ⎣⎦ and x −10=⇒=x 1, there is x ≡ 1, that is to Prove: Noted m satisfies the equation say there is only one root for X r −1 = 0 on Z , and the root is 1. mcupur = −1 mod p −1 Since ru and p-1 are co-prime, then choose t and make b) When cα ≠ 1 , establish the r r it like this: mapping f : x → x , which is from Z p to Z p . For any two elements , if there rut=−1(mod p 1) (20) x12, xZ∈ p

r function of message recovery. Signature of each scheme ⎛ ⎞ r r x1 is (r, u, v). The lists are as follows: is x1 = x2 , ⎜ ⎟ −1 = 0(mod p) can be ⎜ x ⎟ ⎝ 2 ⎠ Tabel 1 a inclued s concealed type signature scheme gained. And from a), we can find out x = x , 1 2 Signature equation Signature vefication r so the mapping f : x → x is a bisection, that r = mα k mod p c = yv (r rα)−u mod p is to say there is only one root for sx = rk +1mod p −1 r −1 −ur on . t If ,then X − cα = 1(mod p) Z p u = y mod p c = m u accept signature 3) Prove the establishment of v = t + su mod p −1 equation X − m = gcd(X r − cα −1, X p − X ) . Tabel 2 b inclued s concealed type signature scheme On the limited domain, there is an equation: Signature equation Signature vefication k p−1 r = mα mod p p c = r v (α −1 y r )−u mod p X −=XXxxZ() −， ∈ (23) rx = sk +1mod p −1 ∏ iip −ur i=0 u = r t mod p If c = m u ,then p accept signature There is no repeated factorization in X − X , but v = t + su mod p −1 from a) it can be known that X r − cα −1 is the r-th power repeated factorization of X − m , so: Tabel 3 c inclued s concealed type signature scheme D r −1 p ∂ gcd(X − cα , X − X ) ≤ 1. (24) Signature equation Signature vefication r = mα k mod p Because m∈ Z * , there is i making x = m , c = α v (r −r y1 )−u mod p p i x = rk + s mod p −1 −ur where 0 ≤≤ip, that is u = α t mod p If c = m u ,then accept signature X − m = gcd(X r − cα −1, X p − X ) (25) v = t + su mod p −1 In summary, the theorem has been proved. V. SECURITY ANALYSIS In terms of Euclidean algorithm on polynomials, we The security of the above scheme mentioned is based can get the following conclusions [8]: Assumed polynomial applies to polynomials f and g, and on the discrete logarithm problem. Assuming that the attacker does not know key x, digital signature of a given degf ≥= deg gd then there are: message m is going to be forged now. If the attacker 1) The most steps of decomposition are d t, clearly chooses a value s first, and then finds a corresponding r every step in the process of price reduction may reduce strongly, the transcendental equation m the order for1 at least. r log = log y sα −1 must be solved to find out r, and it 2) Steps required by decomposition are just d, when r is associated with the discrete logarithm. If the attacker f and g are polynomial of recursive sequence of chooses a value r first, and then finds a corresponding s polynomials, defined as follows: strongly, the transcendental equation

，， ⎡ m r ⎤ {F01==1,1 FXFnnn+− 1 =+≥ XFFn 1 (26) must be solved. The implicit s = log⎢α( ) ⎥ / log y 3) If the g is uniformly distributed in polynomial and ⎣ r ⎦ make f mod g be uniform distribution as well, then the signature scheme hides part of signature s among other number of steps of decomposition is (1− 1 /pd ) . data, and constitutes an implicit signature on the message using the data of the hidden part of the signature; finally For general polynomials, this algorithm needs large verifies the real signature through the implicit signature amount of computing. However, applying Euclidean verification. Increase the number of the original signature pr−1 algorithm for polynomial to (,XXXc−−⋅α ) , can equation unknown (key x, k, s to the forger not know), reduce the amount of computing largely. Where there is p preventing key x from espousing for the reuse of k, and no repeated factorization in polynomial X − X , its security of other aspects has been strengthened. roots traversal every element in Z p . Especially r −1 In this paper, we make the security analysis to the X − c ⋅α is the r-th power repeated factorization, implicit scheme with the function message recovery by having only one factor. This makes the amount of only taking I (a with s)-type scheme as an example, computing in the process of algorithm decomposition be reduced largely, and algorithm speed be faster. 1) (,ruv ,)is an implicit signature of message, According to the difference of the hidden part of the denoted csig() m . In practice, the time can be introduced signature in the scheme, we can get three kinds of to the signature, the signature equation: implicitly corresponding signature scheme with the

v = t + su mod p −1 solve the key x due to the number of unknown in the first equations (31) bigger than the number of equation. Modified it to:

vts=+f (,uT )mod p − 1 (27) ⎧sx11= rk+−1mod p 1 ⎪ ⎪s22xrk= +−1mod p 1 In equation, One-way function f is introduced to ⎨ (31) prevent the attacker changing the time, this ⎪# time csig() m= (,,,) r u v T . This is more realistic. ⎪ ⎩snnxrk= +−1mod p 1 In some special cases, the signature debit not only to verify the correctness of the signature, but also to verify c) ti is only reused : the signature is valid. In general, there are signatures associated with the signature time, signature and its At this time, tt12= ===" ttn , which lead corresponding time are equally important and need to be uu= ===" uu. If s (1,2,,)in= " is different verified. Implicit scheme has the function of verifying the 12 n i signature and signature time at the same time. form each other which is produced by the first equations, then due to the above reason, the attack is hard to solve 2) For the given message {m ,i = 1,2,", n} and its i si (1,2,,)in= " from the second equations, correspondingly implicit signature therefore ,the key x is not obtain.

{}(,ruviii , ).1,2,, i= " n . To obtain the signer’s key x, attacker can start from the signature equation as likely ⎧vtsup11= +−mod 1 treate the ELGamal type signature scheme. ⎪ ⎪vtsup22= +−mod 1 (32) Attackers try to solve the key x from equations: ⎨ ⎪# ⎪ ⎧sx111=+ rk1mod p − 1 ⎩vtsupnn= +−mod 1 ⎪ Even if there are several same " , if ⎪sx222=+ rk1mod p − 1 si (1,2,,)in= ⎨ (28) # time is introduced to signature like equation (32), the ⎪ signature changes to vtsfuT= +−(, )mod p 1, then ⎪ ⎩sxnnn=+ rk1mod p − 1 vi are different from each other due to the differentti . So, and attackers can not judge whether si is same from the

⎧vt11111=+ su1mod p − 1 signature csig()(1,2,,)mii = " n. ⎪ ⎪vtsu2222=+mod p − 1 d) both k and t are reused : ⎨ (29) i i # ⎪ From the above analysis we can know both ki and ti ⎪ ⎩vtsunnnn=+mod p − 1 are reused, which won’t expose the key x under the condition that s (1,2,,)in= " is different from each We discuss the points from the following four cases: i other. a) Random key ki and ti were not being reused: at In a word, using the ElGamal signature scheme is not this time, the number of unknowns are more than the same to using the implicit signature scheme which can number of equations in the two equations, and the key x not be strict greatly in the selection of random key, but has no unique solution. relatively flexible.

b) ki is only reused : 3) From the above security analysis, we can see that there are also with the following state attacks for the At this time, kk12====" kkn . ELGamal signature scheme with the function of message

ki recovery: From rmii= α mod p, we can introduce:

rr r If the three random keys ki , i =1, 2, 3 is calculated 12==" n (30) ri (i = 1,2,3) , which satisfies k3 = k1 + k2 , then that mm12 mn r r r is 1 2 = 3 . As it is hard to solve si (1,2,,)in= " from the m1m2 m3 second equations, therefore, even if the attacker knows ki is used repeatedly from (30), that are , it will still not

So an attacker can solve key x using these correlations signature speed and verification speed will be subject to solutions. The solving process can be obtained through different influence. the signature equation VI. CONCLUSION

xsiii+= k r1mod p −= 1, i 1,2,3 Signature scheme allowing message recovery has and relationship equation kkk=+ to obtain the many obvious advantages such as shorter signature for 312 short message, lower computation work for the following equation: combination of message and its signature to be sent, and so on. Most signature schemes including ELGamal (1−+−=−⇒=xsr )−−−111 (1 xsr ) (1 xsr ) x signature mode do not allow message recovery. Based on 11 2 2 33 −−−−−−−−111 1 1 1 11 ELGamal signature mode, an improved scheme was ()()rrrsrsrsrsr12311212133+− + + − proposed, which allows message recovery and has better Thus, key x has been solved, and the system has been security than the original one. In particular, it can resist deciphered. homomorphism attack and substitution attack using partial signature. This function is not available in the As for the implicit signature scheme, since other ELGamal improved schemes. is not public, no one can obtain the key x sii (1,2,3)= Due to some features of attacks suffered by ELGamal using the above method. signature, hash function must be used to ensure its In addition, when ti(1,2,3)= satisfy ttt= + , security. As for ELGamal type signature scheme not i 312 using hash functions, Yen and Laib actually made a lot of attacker can not obtain anything from the equations: efforts, but were unable to find [27]. These schemes are attacked by using some of the signatures s offensive and ⎧vtsu1111=+ just carried out a public key y. Although the implicit ⎪ vtsu=+ (33) signature program is also not completely free to use a ⎨ 2222 hash function, one case of a major offense can be ⎪ prevented at least without the use of hash functions . Harn ⎩vtsu3333=+ and Xu pointed out that there are 18 the secure ELGamal Therefore, attack with the state is hold only with type signature schemes, fowling attack methods of ELGamal type signature scheme, but dose not hold to the modeled Nyberg and Rueppel, you can use part of implicit ELGamal type signature. In this way, we have signature to substitution attack on almost 18 different solved the question by He and Keisler but not able to schemes. If the pure public-key attach was not considered, resolve [23-24]. such scheme can still maintain its security without using hash function. As a deformation of ELGamal type signature scheme, the security of implicit signature is also based on the difficulty of discrete logarithm. Literature [25] showed REFERENCES that if b is set to the bit of the prime modulus p, then the [1] CHEN Zhi-ming. An inproved encryption algorithm on computational complexity of requesting x from y, ELGamal algorithm[J]. Computer Applications and requesting k from r or requesting t from u is Sostware, 2005, 22 (2): 82-85.

. It is generally [2] Wang Li, Xing Wei, Xu Guang-zhong. ElGamal public- Ocbnbwherec(exp 1 ,∈ (0,1) key cryptosystem based on integral quaternions[J]. believed that the computational complexity of the Computer Applications, 2008,28(5):1156-1157. algorithm is Ocbnb(exp 1 ) which is called a sub- [3] Lu Hong-wen, Sun Yu-hua. A Public-key Cryptography Using Integral Quaternions[J]. Journal of Tong Ji exponential time algorithm. Therefore, as long as the University, 2003, 31(12). scale of b (eg b come to 1024-bit) is expanded [4] HUANG Zhen-jie, WANG Yu-min, CHEN Ke-fei. appropriately, it will be very difficult for forgers who Generalization and improvement of Nyberg-Rueppel want to solve discrete logarithm to decipher implicit message recovery blind signatures[J]. Journal on signature schemes or ELGamal type signature scheme. Communications, 2005 , 26(12): 131-135. As the complexity of the mode index problem is O (n), so [5] CHEN Hui-yan, LB Shu-wang, LIU Zhen-hua . Identity the signer can easily calculate the value of y, u and r[26]. Based Signature Scheme with Partial Message Recovery [J]. ChineseJournal of Computers, 2006, 29 (9) : 1622- Due to structural features of implicit signature equation, 1627 . the signature speed is slower one time than ELGamal [6] Cao Tian-jie, Lin Dong-dai. Security analysis of a signature scheme, which is the major weakness of signature scheme with message recovery[J]. Journal of implicit scheme. However, the calculation of u has Zhejiang University(Science Edition) , 2006,33 (4) :396～ nothing to do with the message m, it can be carried out 397 and calculation to make up the weakness of the speed. [7] Kan Yuan-ping. A Signat ure Scheme wit h Message Enhanced ELGamal type signature's speed and Recovery Based on Elliptic Curves[J]. Computer engineering and science, 2010, 32(2):58-59. verification speed are relatively slower than the original ELGamal signature scheme. With the increased security,

[8] Yberg,K.and Rueppel,R.A. ”message recovery for Haipeng C. Chen, male, was born in signature schemes based on the discrete logarithm Cao County, Shandong, June, 1978. He problem,” in EUROCRYPT,1994, 182~193. received bachelor degree in 2003 and [9] Wang Qing-ju, Kang Bao-yuan, Han Jin-guang.. Several master degree in 2006 both from Jilin New ELGamal Type Digital Signature Schemes and Their University. Enhanced Schemes[J]. Journal of East China Jiaotong Now he is a lecturer and a Ph.D University, 2005, 22(5): 127-138 candidate in the college of computer [10] Zhang Hui-ying, Zhang Jun. Research and Design of an science and technology, Jilin University. Improved ELGamal Digital Signature Scheme[J]. His research interests are computer Computer Engineering and Scinece, 2009, 31(12): 35-38. network security, digital image [11] Ham, L. and Xu,Y. Design of generalized ElGamal type processing and pattern recognition. digital signature scheme based on the discrete Dr. Chen is membership of China Computer Federation logarithm.Electronic Letters, 1994.31(24). (E20-00 15167M). [12] QI Ming, Xiao Guo-zhen. Security and performance analysis of two kinds of ELGamal type digital signature algorithm[J]. Journal of Electronica Science, 1997, 19(3):346~349. Xuanjing B. Shen, male, was born in [13] ELGAMAL T. A public key cryptosystem and a signature Helong County, Jilin Province, scheme based on discrete logarithms[J]. IEEE Trans December, 1958. He received bachelor Inform Theory.1985,31(4): 469-472. degree in 1982, master degree in 1984, [14] WANG Li, XING Wei, XU Guang-zhong. ElGamal and PhD degree in 1990 all from Harbin public-key cryptosystem based on integral quaternions[J]. Institute of Technology respectively. Journal of Computer Applications, 2008, 28(5):1156-1157. He is a professor and PhD supervisor [15] D. Chaum, C. Cr´ epeau, and I. Damg˚ ard, “Multiparty currently in the college of computer unconditionally secure protocols,” STOC ’88. science and technology, Jilin University. [16] Yiannis Tsiounis, Moti Yung. On the Security of ELGamal His research interests are multimedia technology, computer Based Encryption[J]. Computer Science, 1998. Vol.1431: image processing, intelligent measurement system, optical- 117-134 electronic hybrid system, and etc. [17] C.P. Schnorr and M. Jakobsson : Security of Discrete Log Cryptosystems in the Random Oracle and Generic Model. TR report University Frankfurt and Bell Laboratories 1999. [18] C.P. Schnorr and M. Jakobsson : Security of Discrete Log Cryptosystems in the Random Oracle and Generic Model. TR report University Frankfurt and Bell Laboratories 1999. Yingda A. Lv, female, was born in [19] Kaisa Nyberg and Rainer A.Rueppel. Message Recovery Wenan County, Hebei Province, January, for Signature Schemes Based on the Discrete Logarithm 1983. She received bachelor degree in Problem[J]. Designs,Codes and Cryptography, 1996, 7:61- 2007 and master degree in 2010 from 81. Jilin University. [20] Changshe Ma, Jian Weng, Yingjin Li, and Robert Deng. Now she is a Ph.D candidate in the Efficient discrete logarithm based multi-signature scheme college of computer science and in the plain public key model[J]. Designs,Codes and technology, Jilin University. Her Cryptography, 2010,54(2): 122-133. research interests are digital image [21] WANG Shu-hong, WANG Gui-lin, BAO Feng, et al. processing and pattern recognition. Cryptananlysis of a proxy blind signature scheme based on Dr. Lv is student membership of DLP[J]. Journal of Software, 2005, 16(5): 911-915. China Computer Federation (E20-00 15161G). [22] YUAN Dan-shou, RONG Meng-tian. A scalable architecture for inversion based on modified Euclid's algorithms[J]. Journal of Shanghai Jiaotong University, 2005, 40(1): 36-40. [23] Knuth, D.E, The art of computer programming. Vol 2: SeminumericalAlgorithm(AddisonWesley,Reading,Mass,1 981 ) , 2nd Edn. [24] S. Pohlig and M. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transaction on Information Theory IT- 24(1988). [25] Yen, S. M. and Laih, C. S. New digital signature scheme based on discrete logarithm. Electronic Letters, 1999 [26] ZHANG Qing-po, CHEN Cai-yun, CHEN Lu-sheng, et al. EIGamal cryptosystem and digital signature scheme based on polynomials over finite fields. JOURNAL ON COMMUNICATIONS, 2005, 26(5): 69-72. [27] He, J. and Keisler, T. Enhancing the security of ElGamal’s signature scheme. IEEproc. Comput.Digit. Tech, 1994,141(4);249~252.