A Signature Scheme with Message Recovery as Secure as Discrete Logarithm

This paper, for the first time, presents a provably secure signature scheme with message recovery based on the (elliptic-curve) discrete logarithm. The proposed scheme can be proven to be secure in the strongest sense (i.e., existentially unforgeable against adaptively chosen message attacks) in the random oracle model under the (elliptic-curve) discrete logarithm assumption. We give the concrete analysis of the security reduction. When practical hash functions are used in place of truly random functions, the proposed scheme is almost as efficient as the (elliptic-curve) Schnorr signature scheme and the existing schemes with message recovery such as (elliptic-curve) Nyberg-Rueppel and Miyaji schemes.

[1]  Atsuko Miyaji A Message Recovery Signature Scheme Equivalent to DSA over Elliptic Curves , 1996, ASIACRYPT.

[2]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[3]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[4]  Kazuo Ohta,et al.  On Concrete Security Treatment of Signatures Derived from Identification , 1998, CRYPTO.

[5]  R. A. Rueppel,et al.  Message recovery for signature schemes based on the discrete logarithm problem , 1994, EUROCRYPT.

[6]  Rainer A. Rueppel,et al.  Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem , 1994, EUROCRYPT.

[7]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[8]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[9]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[10]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[11]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[12]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[13]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[14]  Rainer A. Rueppel,et al.  A new signature scheme based on the DSA giving message recovery , 1993, CCS '93.

[15]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[16]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[17]  Jean-Sébastien Coron,et al.  On the Security of RSA Padding , 1999, CRYPTO.

[18]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[19]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[20]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.