JOURNAL OF SOFTWARE, VOL. 6, NO. 7, JULY 2011 1329 An Implicit ELGamal Digital Signature Scheme Haipeng Chen College of Computer Science and Technology, Jilin University, Changchun, China Email: [email protected] Xuanjing Shen and Yingda Lv College of Computer Science and Technology, Jilin University, Changchun, China Email: [email protected]; [email protected] Abstract—This paper introduced a detail ElGamal digital the data of the implicit part of the signature. Signature signature scheme, and mainly analyzed the existing receiver can verify the signature of the implicit signature problems of the ElGamal digital signature scheme. Then to come to the verification of the real signature. As for improved the scheme according to the existing problems of the generalized ELGamal type signature scheme, Harn ElGamal digital signature scheme, and proposed an implicit and Xu pointed out that there are a total of 18 security ElGamal type digital signature scheme with the function of ELGamal type signature schemes [11]. Qi Ming and Xiao message recovery. As for the problem that message recovery Guozhen promoted the Chang-Liao password not being allowed by ElGamal signature scheme, this article authentication scheme based on generalized ELGamal approached a method to recover message. This method will type scheme in [12]. To make a signature scheme more make ElGamal signature scheme have the function of secure, this paper puts forward an improved scheme of message recovery. On this basis, against that part of signature was used on most attacks for ElGamal signature three implicit ElGamal type signature schemes. scheme, a new implicit signature scheme with the function of According to the different ways of hiding the signature, message recovery was formed, after having tried to hid the schemes are divided into three types: Ⅰ (a with s) part of signature message and refining forthcoming implicit type, Ⅱ (b with s) type, Ⅲ (c with s) type. The feature of type signature scheme. The safety of the refined scheme was the improved scheme is to conceal part of the original anlyzed, and its results indicated that the new scheme was signature s. So an attacker can not use part of signature s better than the old one. to substitute the usual attack and can increase the number Index Terms—ElGamal-type digital signature scheme; of unknowns (key x, k, s) in original signature equation, message recovery; implicit signature scheme; security while the forgers are not aware of these unknowns, and analysis thus prevent the reuse of k to exposure to key x. Signature receiver can verify the signature of the implicit I. INTRODUCTION signature to come to the verification of the real signature. ElGamal signature scheme is designed to use as a As the implicit signature scheme was improved; method signature, and its speed of encryption and decryption is of message recovery was given and it was applied to relatively slower than the symmetric algorithm, it is the ElGamal digital signature scheme, thus an implicit digital common problem of all practical public key algorithms at signature scheme with the function of message recovery present [1-3]. It is a non-deterministic two-key system. In was formed. The analyzed results show that: the security terms of the same plaintext message, due to different of the improved scheme has been improved significantly. parameters chosen randomly, it has different signatures. Most digital signature systems in the public did not have II. ELGAMAL DIGITAL SIGNATURE SCHEME the message recovery function. Signature scheme allowing message recovery has many advantages [4-7], A. General definition of digital signature scheme such as shorter signature for shorter message; meanwhile, [4] Generally speaking, a digital signature [13] mainly has it puts the message together with validation . Nyberg two algorithms. Signer can use a (secret) signing and Rueppel had improved the broad-based ELGamal algorithm to sign a message, leading to the signature by a mode [8-10], and a series of signature schemes had been public verification algorithm to verify. Verification received, which could verify the signature while algorithm makes an answer with "real" or "false" recovering the message. according to whether the signature is real when given a The implicit digital signature scheme conceals part of pair of signature. A digital signature scheme can be the signature from the other data in the signature, and described when meeting the following conditions (P, A, constitutes an implicit signature on the message by using K, S, V): National Natural Science grant (No.60773098); (1) P is a finite set composed by all possible Scientific and Technological Development Foundation of Jilin messages; Province(No.20080317). © 2011 ACADEMY PUBLISHER doi:10.4304/jsw.6.7.1329-1336 1330 JOURNAL OF SOFTWARE, VOL. 6, NO. 7, JULY 2011 (2) A is a finite set composed by all possible Ver( x ,γδ , )=⇔ true γfx(,,)γδ ⋅ β gx (,,) γδ ⋅ α hx (,,) γδ ≡ 1(mod p )(mod q ) signatures ; (4) (3) K is a finite set composed by all possible f, g, h is a public function and (,,x γ δ ) is known keys, which is key space; public, so any one can verify the equation (3). (4) As for each kK∈ , there is a signature If the signature is constructed correctly, then the algorithm Sigk ()⋅∈ S and a corresponding validation will be successful, because verification algorithm Ver(,)⋅⋅ ∈ V . Each k γβαfx(,,)γδ⋅⋅ gx (,,) γδ hx (,,) γδ(modpq )(mod ) Sigk ()⋅∈ S and (5) =αααkf(,,)γδ x ag (,,) γδ x h (,,) γδ x (modpq )(mod )= 1 Verk (,)⋅⋅ ∈ V : P × A → { true , false } is a function which satisfies the following When f, g, h take a different function, different digital equation: as for each message x∈ P and signature scheme will be gotten, and we referred to this each signature yA∈ , there is type of scheme as the ElGamal digital signature scheme. Verk (, x y )= true , If and only if In the above scheme, , and both are ySigx= k () Sigk ()⋅ Verk (,)⋅⋅ qpfx= , (,,)γ δδγδγγδ===− ,(,,) g x ,(,,) h x m (6) function of polynomial time. Ver (,)⋅ ⋅ is a k When taking the above-type, the scheme is the public function, while is a secret Sigk ()⋅ ElGamal digital signature scheme. At this point, the function. signature algorithm and verifying algorithms of the scheme change correspondingly: B. The description of the ElGamal type digital signature Sig( x , k )= (γδ , ), γ==−− αk mod p , δ ( x a γ ) k−1 mod p 1 (7) scheme based on discrete logarithm problem on * k Z p And Suppose p is a intractable prime on * the discrete Z p γ x * (8) Ver(,, xγδ )=⇔ true βγδ ≡ α (mod), p x γ ∈ Zpp , δ ∈ Z −1 logarithm problem[15-16], q is a large prime factor of p-1, or p=q, when q<p, select a element α ∈ Z * of an order for p C． Analysis of ElGamal Digital Signature Algorithm the q randomly; When p=q, randomly select a element Security * , or ** or α ∈ Z p P ∈=×〈ZAZppq,,() Z qp In general, the following are the main ways of attack: a * direct hack on the private key[14-16]. A =×ZZqppp−1() = of an order for the p-1. Definition: 1) Following the launch of RSA in 1978, has spent Kpqa=={(,,,,αββα )a (mod) p} much effort to find the defects that can be deciphered. Although it is used within a certain Where pq,,α ,β are public, a is private. scope of the agreement is not without risk, the algorithm's basic security is guaranteed. But For Kpqa= (,,,,α β ) and a secret random ELGamal algorithm has not a decoding test of * * detailed cryptanalysis , there are serious technical kZqp∈<q () or kZ∈=p−1() qp, definition: defects. Sigk (, x k )= (,γ δ ) (1) 2) For activities attacks and counterfeit attacks is fragile. If an attacker successfully replaces a Where γα= k modp (modq ) . legitimate user's public key by using private key that is randomly selected corresponding to public When q<p, δ satisfies the equation: key, then user will be able to forge signatures. kf⋅+⋅+≡(,,γ xδγδγδ ) ag (,, x ) h (,, x ) 0mod q (2) 3) The substitution attack. These attacks include the use of some of the signatures s and only use the When q=p, δ satisfies the equation: public key Y. The substitution attack carried out by using some of the signature s is major attack kf⋅+⋅+≡−(,,γ xδγδγδ ) ag (,, x ) h (,, x ) 0(mod p 1) (3) that the signature program ELGamal face to. f, g, h is a public function, and is calculated easily 4) The forgery attack. Starting from the from (1) and (2). signature,forgers make any changes to form the ** signature of another message m, which is For x ∈∈ZZp ,γ q and δ ∈ Zq , definition: possible to meet the same verification equation. © 2011 ACADEMY PUBLISHER JOURNAL OF SOFTWARE, VOL. 6, NO. 7, JULY 2011 1331 5) Random prive key k can not be repeatedly used to K = {( p,α, x, y) y = α x mod p} sign different messages. Otherwise, an attacker can easily obtain the signer private key x. and a secret random number kt, ∈ Zp−1 , define: 6) He and Keisler point out that can forge signer sign any message. If three random key k, (i = Sigk (,) m k= (,,) r i v 1,2,3) satisfy the k3 = k1 + k2, then r, (i = 1,2,3) to meet the r3 = r1r2. Then the attacker can obtain Where r is calculated by the key x. This is similar to the homomorphism r = mα −k mod p (10) attack that is faced by RSA , the difference is, the homomorphism attack of RSA signature is only and assume used to forge signature , and can be overcome by ' using hash function .while the homomorphism gcd(ry , p −= 1) 1 (11) attack of the ELGamal digital signature scheme, Where “gcd” is greatest common factor.