An Efficient Designated Receiver Signature Scheme

International Review on Computers and Software (I.RE.CO.S.), Vol. 02, n. 04, July 2007, pp. 366-370

An Efficient Designated Receiver Signature Scheme 1

Mammon S. Rababaa, 2 Sattar J. Aboud and 3 Mohammad A Al-fayoumi

Volume 2, Number 4, July 2007, pp. 366-370, Abstract – This article introduces a designated receiver signature scheme which is carrying a characteristic that let the signature to be verified by the cooperation of the signature recipient only. This proposed digital signature scheme is aimed to secure the confidentiality of the signature recipient in many uses since the signed document hold too important data regarding recipient personally. We claim that the proposed scheme is scalable, secure, completely dynamic and more efficient than the already existed schemes.

Keywords – Public key cryptography, digital signature scheme, designated receiver signature scheme

I. Introduction The idea of public key encryption was introduced in [1] gives influential means that can face many security difficulties occurring these days. So there is an increasing use of public key algorithms in cryptography purposes. The digital signature scheme is one of the well-known public key cryptography schemes, which is necessary in many security issues such as internet. However, digital signature scheme has the characteristic in which any person possessing a version of the signature can verify its legitimacy using public resources. This validating characteristic is essentially needed for certain uses of digital signature for instance certificates published by certain agency. Though, such digital signature gives more validation than needed in various uses. So it is preferable to set certain limitations on this possession to avoid possible abuse of digital signature. However, zero knowledge of undeniable signature scheme [2] give a method of protecting which is important to the signer. The undeniable signature scheme is created by a way that it is verified just with the signer assist. Thus, in this undeniable signature scheme the signer has the entire control during the steps of its signature. In contrast, in various uses of digital signature schemes the signed document is very important to the digital signature recipient personally. For this case the recipient might concern regarding misuses of the digital signature. Cases might have signatures on medical transactions, income tax and other personal information. In these examples the best type of a signature is the signature that checked only via the recipient [3]. Certainly, the recipient must be capable to persuade any person that the signature is an authenticate signature signed via the signer. Such signature scheme is proposed to secure the

Manuscript received July 2007, revised --- 2007, accepted --- 2007

confidentiality of the signature recipient by aiming to use the signature under the control of the recipient only

The idea of designated receiver signature scheme is initially introduced in [4] and its idea relied on a practical zero knowledge proof signature scheme [5, 6]. Another scheme presented the idea of designated receiver signature to face the difficulty of vulnerability of undeniable signature [7]. Also, a different scheme introduced a more realistic structure of designated confirmer signature [8]. The last two signature schemes are the same except in who is given the aptitude of verifying the validity of the signature. The authorization ability is directly sent to the signature recipient, but in the designated trusted authority to designated confirmer signature. In this article we introduce a different scheme of designated signature relied on the discrete logarithm assumption. As long as the message being signed is intimately related to the confidentiality of the recipient in many uses, it is preferable to transmit the message with encryption. In addition, a simple technique for given privacy is also explained. The proposed scheme is efficient compared with the existed schemes, in which it is scalable and completely dynamic.

II. Background First we present the notations used in this section: p, q : Prime numbers such that q divides p  1 g : Generator

where Z *p  {1  g  p  1} and gcd( g , p)  1 m : The message to be signed h(m) : One way hash function

Copyright © 2007 Praise Worthy Prize - All rights reserved

*

means g  Z p

First Author, Second Author, and Third Author

A : The signer and a generator of public and secret keys (e A , d A ) : Public and secret keys for entity A

III. The Proposed Designated Receiver Signature Scheme

( a A , b A ) : Digital signature generated by entity A B : The receiver and the verifier of the signature ||: concatenation. Suppose p and q are two prime numbers where q

Assume that entity A needs to generate a signature for message m in which just the receiver entity B can verify the signature and also can prove its validity to the trusted authority T when needed. The signing and the verifying signature scheme are as follows.

*

divides p  1 , g  Z p and h is one-way hash function [9].The p, q, g and h are scheme keys and known to all entities. Suppose that each entity A in the scheme have a public and private key (e A , d A ) respectively where eA  g

dA

mod p such that d A  Z q . The suggested

signature scheme is relied on signature generation by smart card scheme [10]. This scheme is concisely explained. In signature generation by smart card scheme the entity A can produce the digital signature ( a A , b A ) on message m by finding a A  h (i, m) using where i  g rA mod p such

arbitrary integer that i  Z q and rA  Z q

then

computes b A  rA  d A * a A mod q . Now entity B can confirm this signature by finding that h( g

bA

must

*e

a A

first

compute

a A

mod p, m)  a A . To perform this entity B

computes

vg

bA

*e

a A

mod p

then

 h(m || v)  a A

II.1.

To generate a signature entity A must do the following: 1. Select randomly two integer numbers rA , rA where 1

2

1  rA1 , rA2  q  1

2. Finds s A  g

rA1 rA2

3. Computes x B 

mod p

r e BAi

mod p

4. Finds a A  h( x B , s A , m) by one way hash function h 5. Computes b A  rA  d A * a A mod q 2

6. Sends the signature (s A , a A , bA , m) to the receiver B III.2. Algorithm for Signature Verification To verify the signature, the receiver entity B must do the following: 1. finds x B  ( g '

bA

* e AaA * s A ) d B mod p '

2. verifies that a A  h( x B , s A , m)

Example

Key generation: suppose p  129841 , q  541 and g  26 . Assume that entity A selects a random integer number as a private key d A  423 .Then computes the public key e A  26 mod129841  115917 . Thus the entity A ’s public key is ( p  129841, q  541, g  26, 423

eA  115917) . Signature generation: entity A now produces the digital signature (a A , b A ) on message m  237 by rA  327 selects a random number where 1  rA  q  1 and computes i  26327 mod129841  49375 such as i  Z q is a secret

key to entity A and aA  h(m || i)  155 the hash value has been contrived for this example. Then entity A computes bA  423 *155  327 mod 541  431 . The signature for m is ( bA  431, aA  155). Signature verification: Entity B computes v  26 431 * 115917 155 mod129841  49375 , aa  h(m || v)  155 . So entity B accepts the signature since aa 

III.1. Algorithm for Signature Generation

aa


III.3. Algorithm for Proof the Signature Verification The algorithm steps that proof the validity of the signature ( s A , a A , b A , m) by entity B to the trusted authority T are as follows: 1. Entity B initially Finds t  g

bA

a

* eAA * s A mod p

2. Entity B then computes x B  t

dB

mod p

3. Entity B then sends ( x B , s A , a A , b A , m) to T 4. Entity T checks that a A  h( x B , s A , m) .If dose not the trusted authority T rejects the signature. Otherwise the trusted authority T finds tg

bA

a

* e AA * s A mod p

5. Finally entity B verifies to T that log t x B  log g eB using the discrete logarithm scheme [11]. III.4. Example We will illustrate the suggested designated receiver signature scheme with artificially small parameters.

International Review on Computers and Software, Vol. xx, n. x


Key generation: entity A selects primes p  7879 and q  101 such that ( p  1) / q  78 , entity A then selects a random integer g  3  Z *p . Suppose the entities are

( A, B, T ) and their chosen secret keys are d A  31, d B  54 , and dT  16 , so their public keys are compute as follows eA  331 mod 7879  265 , eB  354 mod 7879  957 and eT  316 mod 7879  3744 . Signature generation: entity A now produces the digital signature on message m  71 and then selects two secret random numbers rA  29, rA  17 where 1

2

1  rA1 , rA2  100

then

entity A computes s A  32917 mod

7879  3548

signature is legitimate if a A  h( x B' , s A , m ' ) . Assume that entity B needs to verify to T that the signature (s A , a A , b A ) on message m is a valid signature published by entity A . Then entity B encrypts m with a session key R BC and passes to T both the result value and the signature (s A , a A , b A ) and then proof a verification of the scheme. However, the session key R BC is established by Diffie-Hellman key exchange scheme. The easiest method to obtain is xC  eCrB

mod p under arbitrary rB  Z q then passes s B  g rB to trusted authority T .

also

entity A computes x B  957 mod 7879  4902 .To find a A  h(4902 || 3548 || 71)  65 the hash value has been contrived for this example. Then entity A computes bA  17  31 * 65 mod101  79  22 Finally entity A sends (3548,65,22,71) to  101 . entity B Signature verification: to verify the signature entity B compute x '  (322 * 26565 * 3548) 54 mod 7879  6548 .

V. Discussion

29

B

Then

that a A  h(6548 || 3548 || 71)  65 .To

verify

proof the validity of the signature ( s A , a A , b A , m) by entity B to trusted authority T entity B should first computes t  322 * 26565 * 3548 mod 7879  753 .Then entity B finds x B  75354 mod 7879  6548 . Next entity

B sends (6548,3548,65,22,71) to entity T . Entity T checks that a A  h(4902 || 3548 || 71)  65

IV. Designated Receiver Signature Using Encryption If the signed document contains very important data concerning the receiver entity B personally, it is useful to encrypt while transmits. Therefore, it is useful to include privacy to the suggested designated receiver signature scheme using Elgamal encryption scheme [12]. Thus entity A can generate a session key R AB from x B for instance R AB  h( x B ) by a hash function h . In the scheme suggested the session key could be obtained from rA or from x A . Thus, entity A encrypts a 1

message m as c  E RAB (m) and passes both the result value and the signature (s A , a A , b A ) to the entity B . Entity B then finds x B' to obtain R AB  h( x B' ) . To recovers a message c using m '  DRAB (m) .Then the


In the signing algorithm entity A select randomly two keys rA and rA to secure the Diffie-Hellman public 1 d A*d B

2

key g mod p . So the known of x B is not aid to detect the signature. The apparent benefit behind the above signature scheme is that the value of signature is of no means to a trusted authority T because there is no way to check its validity. Also, it has a benefit to security because the relationship between the signature and the signer private key is not known to any entity other than the designated receiver. So, as a result propagation and abuse is very difficult in this signature algorithm. We claim that it is too alluring to employ this signature in any confidential communication channels. Certainly, sometimes the receiver requires to hinders the signature and confirm its validity to a trusted authority T . For instance, when an entity B applies for a position in an organization; he needs to prove his income tax clearance by get a designated receiver signature for his income tax clearance record from the department of income tax A , show the signature to the organization and confirm its validity. However, entity B can employ secure response challenge protocol [13] in this matter. Thus, the organization will obtain nothing other than the validity of the signature used. Now, we will study some possible threats. 1. If the designated representative signer entity B is lying then may fraud the general signer entity A and obtains the signature (a A , b A ) on any select message m . To solve this difficulty is the presence of the trusted authority. The original signer entity A may emphasize that each message between two participants entity A and entity B throughout the scheme must validated. The trusted authority holds the log file of original signer demands and inspects every case of designated signer if does not complying the original signer request.



2. If some one obtains the integer number rA2 and also obtains the private signature key ar of reprehensive signer entity B from the formula bA  rA2  d A * aA .

mod q . Since, the unknown variables in this formula are two. Thus it is computationally difficult for a forger to gather the private keys rA2 and ar .

introduced this signature scheme typed on the discrete logarithm assumption; the security level of this scheme is similar to that of other schemes based on discrete logarithm intractability. The suggested scheme is more secure and efficient in addition is a scalable and completely dynamic.

References

3. If some one forges the signature ( s A , a A , b A , m) by b

a

the formula t  g A * eAA * s A mod p . So, it is difficult to find the key s A from this formula because it is the same complexity of calculate the discrete logarithm problems. 4. If some one masquerade as the designated signer entity B by arbitrarily picking two numbers rA and

[1] [2]

[3]

[4]

1

rA  Z q without given the private key ar . It is hard 2

to create a valid representative signature private key ar to comply with the verification formula. xB  ( g '

bA

* e AaA * s A ) d B mod p , a A  h( x B , s A , m) .

[5]

[6]

[7]

VI. Future Research Future research can be concentrate in maximizing the designated receiver signature scheme flexibility with preserving the same capability of security. In addition, the areas that need future research may include, many applications such as designated delegated signature scheme, designated threshold multi-signature scheme, undeniable designated receiver signature scheme, blind designated receiver signature scheme, group of designated receiver signature scheme in which still need researches to work to make this scheme more successful.

VII. Conclusions The proposed designated receiver signature scheme is convenient when the signed message have very important information related the signature recipient personally. In the suggested scheme, the signature recipient has entire control on the signature verification steps. No one can verify the validity of signature without recipient help. Since the relation between the signer and signer secret key is not known to anyone. Therefore, this scheme is more secure than any other scheme, based on the discrete logarithm problems. The suggested designated receiver signature scheme can substitute the general digital signature schemes in various uses, especially if the signed document contains very important information related the recipient personally. Besides the utilizing this scheme can also reducing the potential abuse, in addition to the propagation of signature scheme validation. We


[8]

W. Fiffie and M.Hellman, "New Directions in Cryptography", IEEE Transaction on Information Theory, 31, pp. 644-651, 1976. D. Chaum, "Zero-knowledge undeniable signatures", Advances in Cryptology-Eurocrypt '90, Springer-Verlag. LNCS 473, pp. 458461, 1991 Sunder Lal and Manjo Kumar, (2003), A direct signature scheme and its Applications, Proceedings, National Conference on Information Security, New Delhi, 8-9 Jan 2003, pp.124-132 L. C. Guillou and J. J. Quisquater, "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and Memory", Advances in Cryptology, Eurocrypt'88, Springer-Verlag, LNCS 330, pp. 123-128, 1988. Lim C. H. and Lee P. J., (1993), Modified Maure-Jacobi Scheme and its Applications, Advances in Cryptology, Auscrypt’92, Springer-Verlag, LNCS 718, pp. 308-323 Lim C.H. and P. J. Lee (1996), Security Protocol, in Preceeding of International Workshop, Cambridge, United Kingdom, SpringerVerlag, LNCS 1189. D. Chaum, "Designated confirmer signatures", Advances in cryptology Eurocrypt '94, Springer Verlag, LNCS 950, PP.86-91, 1995 T. Okamoto, "Designated Confirmer Signatures and Public Key Encryption are Equivalent", Advances in Cryptology, Crypto'94, Springer-Verlag, LNCS 839, pp. 61-74, 1994

[9] Zheng Y., Matsummoto T, and Imai H. (1990), Structure Properties of one-way hash function, Advances in Cryptology, Crypto’90, Proceeding, pp. 285-302, Springer-Verlag [10] C. P. Schnorr, "Efficient Signature Generation by Smart Cards", Journal of Cryptology, 4(3), pp. 161-174, 1994. [11] Boyar, J., D. Chaum, I. Damgard and T. Pederson, Convertible undeniable Signatures, Advances in Cryptology-Crypto’90, Springer-Verlag, LNCS 537, pp. 189-205, 1990 [12] T. Elagmal, "A Public key Cryptosystem and a Signature Scheme based on Discrete Logarithms", IEEE Transaction on Information Theory, IT-31, pp. 469-472, 1985. [13] D.Stinson, "Cryptography Theory and Practice", 3rd edition, CRC Press, PP. 189-205, 2006

Authors’ information Mamoun S. Al Rababaa received his M.Sc degree in 1995. A Ph.D. was received in 1999 in the area of computing engineering from Ukraine. In 2000, he joined Irbid National University in Jordan as an assistant professor in computer science department. In 2003 he moved to Al al-Bayt University in Jordan an assistant professor and a chairman of computer science department. Now and since 2005 he is a chairman of information systems department at Al al-Bayt University. His research interests include areas like information security, network security, internet security, viruses and artificial intelligence, expert systems and genetic algorithms. He has supervised numerous master degrees research thesis and projects of diverse areas. Mamoun Al Rababaa has published many research papers in a multitude of international journals and conferences.



Sattar J Aboud received his Bachelor’s degree in 1975. In 1982, he earned his M.Sc degree in computing science. A Ph.D. was received in 1988 in the area of computing systems. The last two degrees were awarded from U.K. In 1990, he joined the institute of technical foundation, ministry of higher education in Iraq as an assistant professor and a head of computer system department. In 1993 he moved to Arab University College for science and technology in Iraq as an associate professor and a dean deputy. In 1995 he joined the Philadelphia University in Jordan as an associate professor and a chairman of computer science and information system department. In 2004 he moved to the Amman Arab University for graduate studies, graduate college for computing studies as a professor and chairman of curriculums committee for postgraduate courses. Currently, he is a professor in the department of computer information system at the Middle East University for graduate studies, Amman-Jordan. His research interests include areas like public key cryptography, steganography, digital signatures, identification and authentication, secret sharing keys, software piracy, viruses, networks security, data base security, e-commerce and e-learning security and algorithm analyzes and design. He has supervised numerous PhD's and master’s degrees research thesis and projects of diverse areas. Sattar J Aboud has published more than 50 research papers in a multitude of international journals and conferences. Fayoumi mohammad received his Bachelor’s degree in 1974. In 1977, he earned his M.Sc degree in mathematics, and a postgraduate diploma in computer science was received in 1979. A Ph.D. was received in 1982 in the area of computing systems. The last two degrees were awarded from Bucharest University; he joined the Yarmouk University, 1982 in Jordan, as an assistant professor and a head of computer science department. In 1986 he moved to collage of business studies in Kuwait and then moved back to Jordan in Applied Science University as associate professor and a head of CS & CIS department dean deputy. Currently, he is the dean of information technology faculty at the Middle East University for Graduate Studies, Amman-Jordan. His research interests include areas of information security, computer simulation, systems development, e-commerce, e-learning and internet security and algorithm analyzes and design. He has supervised numerous PhD's and master’s degrees research thesis and projects of diverse areas. Fayoumi has published more than 25 research papers in a multitude of international journals and conferences, in addition to a nine books in the area of computer sciences.

.

