International Journal of Mathematics, Computer Sciences and Information Technology Vol. 3, No. 2, July-December 2010, pp.

387-402

A REVIEW ON DIGITAL SIGNATURE SCHEMES

Chitra G. Desai11 Manisha B. Patil2 and B W Gawali 3
1HOD 2Research

(MCA Department), MIT Engineering College, Aurangabad, India Student, Department of Computer Science, University of Pune, India 3Reader, Department of Computer Science and IT, Bamu, A Bad

Abstract: A digital signature is a cryptographic method for verifying the identity of an individual, a process, computer system, or any other entity, in much the same way as a handwritten signature verifies the identity of a person. Digital signatures use the properties of public-key cryptography to produce pieces of information that verify the origin of data. Several digital schemes have been proposed as on date based on factorization, discrete logarithm and elliptical curve. However, RSA digital scheme based on factorization and Elgamal digital scheme based on discrete logarithm gained wide acceptance. Many schemes followed there by with little changes in it. Some of the schemes evolved by combing factorization and discrete logarithm together making it difficult for solving two hard problems from the hackers point of view. Though these are challenged not to be that successful, this paper presents the review of the existing digital schemes based and the claim made by them. Finally we conclude with the scope for further research involving the digital signature scheme based on factorization and discrete logarithm together.

1. INTRODUCTION Confidential communication is one of the necessities of social life. This can be best achieved through cryptography. Cryptography is the art or science of keeping secrets secret. Cryptography is about secure communication through insecure channels. Cryptographic techniques, such as encipherment, digital signature, key agreement and secrete sharing schemes, are important building blocks in implementing any security services for confidential communication. A cryptosystem defines encryption and decryption transformation, which depends on the value of keys. Secret-key (or private-key) cryptography uses a single key for both hiding (encrypting) and revealing (decrypting) data. Public-key cryptography, in contrast, uses two keys that are related by a mathematical function. Public key cryptography is an asymmetric scheme that uses a pair of keys: a public key, which encrypts data, a corresponding private key, or secrete key for decryption. Each user has a key pair given by him. The public key is published to the world while the private
*Corresponding author: chitrag_desai@yahoo.com1, manishap6@gmail.com2
Com-1-D: \ Vijay Jha-2010 (SSM) \ 041-IJMCSIT, 3(2), 2010\S. S. Mukherjee

388 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

key is kept secret. Anyone with a copy of the public key can then encrypt information that only the person having the corresponding private key can read. The primary benefit of public key cryptography is that it allows people who have no pre-existing security arrangement to exchange message securely. The need for sender and receiver to share secrete key via some secure channel is eliminated; all communication involve only public keys and no private key is ever transmitted or shared. A major benefit of public key cryptography is that it provides a method for employing digital signatures. Digital signatures enable the recipient of the information to verify the authenticity of information origin, and also verify that the information is intact. A digital signature is typically created by computing a message from the original document and concatenating it with the information about the signer, such as time stamp. The resulting string is then encrypted using the private key of the signer. The encrypted block of bits is known as digital signature. Digital signatures are used to verify that the message really come s from the sender the receipting supposes sent the message. In order to verify the digital signature, the recipient must decide whether it trusts that the key used to encrypt the message actually belongs to the person it is supposed to belong to. A digital signature is very small amount of data created using some secrete key. Typically there is a public key that can be used to verify that the signature was really generated using the corresponding private key. The algorithm used to generate the signature is of sufficient cipher strength that, knowing the secrete key, it would be impossible to create a counterfeit signature that would verify it as valid. Once the recipient has decrypted the signature using public key of the sender, the recipient compares the information to see if it matches that of the message. Only then is the signature accepted valid. Digital signatures can also be used for other purposes, such as time stamp documents. In this process, a trusted party signs the document and its time stamp is embedded with the secrete key, which proves that the document existed at a specified time. Digital signatures can also be used to certify that a public key belongs to a specific individual. This is accomplished by signing key and certain information about the key holders with a separate trusted key. The digital signature of the trusted key with the public key and the particular information about the holder of the public key creates what is known as digital certificate. Reasons for trusting a third party key would be that it is from a known, trusted source or that it was reciprocally signed by anther trusted key. Eventually in this chain of trust, there exists some key at the root of the trust hierarchy, known as root certificate. In a centralized key management infrastructure, there are only few roots in the trust network. These roots are known as certificate authorities. The strength of digital signature lies in the digital signature scheme used to generate digital signature. Several schemes have evolved since 1970s, but before moving into the details of the scheme it is necessary to understand the backend that is cryptography and in detail the public key cryptography.

A REVIEW ON DIGITAL SIGNATURE SCHEMES / 389

1.2. Cryptography

The word cryptology stems from Greek meaning hidden word, and is the umbrella term used to describe the entire field of secret communications. Cryptology splits into two subdivisions: cryptography and cryptanalysis. Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, data origin authentication and non-repudiation. The cryptanalyst seeks to undo the cryptographers work by breaking a cipher or by forging coded signals that will be accepted as authentic. General information on cryptography can be found in [1], [2]. There are two major types of cryptosystems. One is Symmetric-key cryptosystems and the other is Public-key cryptosystems. We will pay particular attention to Public-key cryptosystems. Thus, we first give a formal definition of a cryptosystem: A cryptosystem is a five tuple (M, K, C, E, D) where the following condition are satisfied: 1. M is a finite set of possible plaintexts or messages 2. C is a finite set of possible ciphertexts or cryptograms 3. K is a finite set of possible keys 4. Deciphering the enciphered form of message M yields M Dk(Ek (M)) = M
1.2.1. Symmetric Key Cryptography

Consider an encryption scheme consisting of the sets of encryption and decryption transformations. The encryption scheme is said to be symmetric-key if for each associated Encryption/decryption transformation pair (EK, DK), it is computationally easy to determine DK knowing only EK, and to determine EK from DK. Since EK = DK in most practical symmetric-key encryption schemes, the term symmetric-key becomes appropriate. Other terms used in the literature are single key, one-key and conventional encryption.

Figure 1: Symmetric Key Cryptography

1.2.2. Public Key Cryptography

In 1976, the idea of public-key cryptography was presented by Diffie and Hellman [3]. Although revolutionary, the idea is still very simple. In public-key cryptosystems, one can safely publicize ones encryption method. This means that also the cryptanalyst will know it. However, he/she is still unable to decrypt your ciphertext. This is what public-key

390 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

cryptography is all about; the encryption method can be made public. With regard to Publickey cryptography, it is computationally infeasible to compute the decrypting transformation DK from the encryption transformation EK.

Figure 2: Public Key or Asymmetric Key Cryptography

In a public key cryptosystem each user places in a public file an encryption procedure E. That is, the public file is a directory giving the encryption procedure of each user. The user keeps secret the details of his corresponding decryption procedure D. These procedures have the following four properties: (a) Deciphering the enciphered form of a message M yields M. Formally, D (E (M)) = M (b) Both E and D are easy to compute. (c) By publicly revealing E the user does not reveal an easy way to compute D. This means that in practice only he can decrypt messages encrypted with E, or compute D efficiently. (d) If a message M is first deciphered and then enciphered, M is the result. Formally, E (D (M)) = M An encryption (or decryption) procedure typically consists of a general method and an encryption key. The general method, under control of the key, enciphers a message M to obtain the enciphered form of the message, called the ciphertext C. Everyone can use the same general method; the security of a given procedure will rest on the security of the key. Revealing an encryption algorithm then means revealing the key. When the user reveals E he reveals a very inefficient method of computing D (C): testing all possible messages M until one such that E (M) = C is found. If property (c) is satisfied the number of such messages to test will be so large that this approach is impractical. A function E satisfying (a)-(c) is a trap-door one-way function; if it also satisfies (d) it is a trap-door one-way permutation. Diffie and Hellman [3] introduced the concept of trap-door one-way functions but did not present any examples. These functions are called one-way because they are easy to compute in one direction but (apparently) very difficult to compute in the other direction. They are called trapdoor functions since the inverse functions are in fact easy to compute once certain private trap-door information is known. A trap-door one-way function which also satisfies (d) must be a permutation:

A REVIEW ON DIGITAL SIGNATURE SCHEMES / 391

every message is the ciphertext for some other message and every ciphertext is itself a permissible message. (The mapping is one-to-one and onto). Property (d) is needed only to implement signatures. In the traditional cryptosystem, such as DES, IDEA, etc., its security based on the preferences of the cryptosystem designers and some of the more complicated mathematical calculations, it can only provide data security, like the data encryption and decryption, but no way to achieve the digital signature. Digital signature technology is based on public-key cryptosystem (also known as asymmetric cryptography). 1976, Whitfied Diffie and Maitin Hellman New direction in cryptology [3] put forward the idea of public-key cryptography. So far, there are mainly three ways to achieve the public-key cryptosystem, which are certainly based on the basis of mathematical problems, so both the security of data confidentiality and the feasibility of computer achieving are available. I. based on large Integer Factorization Problem (IFP), such as RSA [4] and Rabin. II. based on the Discrete Logarithm Problem (DLP), such as the Diffie-Hellman and ElGamal [3,5]. III. based on the Elliptic Curve Discrete Logarithm Problem (ECDLP), such as the Elliptic Curve Cryptosystem (ECC) [6] and [7] and Hpyer Elliptic Curve Cryptosystem (HECC) [8]. However, the study shows that, the algorithmic complexity of the IFP and DLP is hypoexponential, so that only by increasing the key length to ensure its security. ECDLP is the definition of elliptic curves based on the Galois finite fields or the Galois finite field, there is no hypoexponential solution to general elliptic curve (excluding a few special elliptic curves), and the best solution at present to the elliptic curves discrete logarithm is the Pollard rho algorithm. Because the key length which the ECDLP needed is far less than the public-key cryptosystem based on the IFP and DLP, the elliptic curve cryptosystem is increasingly becoming the most popular public-key cryptosystem [9]. 2. INTEGER FACTORIZATION The problem of integer factorization is one of the oldest in number theory and the advents of computers have stimulated considerable progress in recent years. However, the security of many cryptographic techniques depends upon the intractability of the integer factorization problem. A partial list of such schemes includes the RSA public-key encryption scheme and the RSA signature scheme. This section focuses on the current knowledge on algorithms for the integer factorization problem. The integer factorization problem is the following: given a positive integer n, find its prime factorization; that is, write
e e e n = p11 p2 2 ... pk k

where the pi are pair wise distinct primes and each ei 1.

392 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

This problem is believed to be hard for general n when n is large. Some ingenious methods have been devised in an attempt to factorize large composite numbers n. The three methods that are most effective on very large numbers are the quadratic sieve, the elliptic curve method and the number field sieve. Other well-known methods that were precursors include Pollards rho-method and p 1 method, Williamss p + 1 method, the continued fraction algorithm, and of course, trial division. A good overview of factoring methods can be found in [20].
2.1. The RSA Problem

A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret prime numbers p and q. Decryption is similar; only a different, secret, power d is used, where e d 1 (mod (p 1) (q 1)). The security of the system rests in part on the difficulty of factoring the published divisor; n. a number n with large prime factor is more difficult to factor than a number with small prime factor. That is why the size of the modulus in the RSA algorithm determines how secure an actual use of the RSA cryptosystem is. The two primes p and q, which compose the modulus, should be roughly equal length. This makes the modulus harder to factor than if one of the primes is much smaller than the other. 3. DISCRETE LOGARITHMIC PROBLEM The discrete logarithm problem applies to mathematical structures called groups. The discrete logarithmic problem is as follows: given an element g in finite group G and another element h in G, find inter x such that gx = h. Like factoring problem, the discrete logarithm problem is believed to be difficult. For this reason, it has been the basis of several public key cryptosystems. The discrete logarithm problem bears the same relation to these systems as factoring does to the RSA system: The security of this system rests on the assumption that those discrete logarithm are difficult to compute. The discrete logarithm problem has received much attention in recent years. The best discrete logarithm algorithms have expected running times similar to those of the best factoring algorithms. Some cryptosystem in which security depends upon the difficulty of a certain problem in G related to computing discrete logarithms are Elgamal encryption, Diffie Hellman key exchange, Digital signature algorithm etc. 4. ELLIPTICAL CURVES Elliptical curves are described by the set of solutions to certain equations in two variables. Elliptical curves defined modulo a prime p are of central importance in public key cryptography.

A REVIEW ON DIGITAL SIGNATURE SCHEMES / 393

Any elliptical curve can be written as a plane algebraic curve defined by an equation of the form y2 = x3 + ax + b which is non-singular; that is, its graph has no cusps of self-intersections. Elliptical curves are illustrated in Fig. 3 for various values of a and b. The set of points on such a curve can be shown to form an abelian group (with points at infinity as identity element). If the coordinates x and y are chosen from a large infinite field, the solution form a finite abelian group. Elliptical curves used in cryptography are typically defined over two types of finite fields: fields of odd characteristics and fields of characteristics two. The points on an elliptical curve form an abelian group (E (F), +) with 0, the distinguished point at infinity, playing the role of additive identity.

Figure 3: Elliptical Curve

Given two points M1, M2 on E(F), there is a point, denoted by M1 + M2 on E(F) and the following relations hold for all M1, M2, M3 M1 + M2 = M2 + M1 (commutative) (M1 + M2) + M3 = M1 + (M2 + M3) (associative) M1 + 0 = 0 + M1 = M1 (Existence of identity) There exists ( M1) such tat M1 + M1 = M1 + ( M1) = 0 (Existence of inverse)

394 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

Suppose that two distinct points M1 and M2 are on an elliptical curve, and M1 is not M2. To add the points Ma and M2, a line is drawn through the two points. This line will intersect the elliptical curve in exactly one more point, call P. The point P is reflected in the x-axis to the point M3. The law of addition in the elliptical curve group is M1 + M2 = M3. Adding result can be seen in Fig. 4.

Figure 4: Adding Two Points on Elliptical Curve

Elliptical curve cryptosystem are analogs of existing public key cryptosystems, in which modular arithmetic is replaced by operations defined over elliptical curve. The security of elliptical curve cryptosystem relies on the underlying hard mathematical problems. It is proven that elliptical curve cryptosystem have no practical advantage over the RSA system, since their security is based on the underlying problem, namely integer factorization. Elliptical curve cryptosystems are faster than the corresponding discrete logarithm based systems. Elliptic curve cryptosystems are faster than the RSA system in signing and decryption, but slower in signature verification and encryption. 5. CLASSIFICATION OF DIGITAL SIGNATURE SCHEME There are two classes of digital signature scheme: (a) Digital signature scheme with appendix (b) Digital signature scheme with message recovery Digital signature scheme with appendix require the original message as input to the verification algorithm. Digital signature schemes with message recovery do not require the original message as input to the verification algorithm.
5.1. Digital Signature Scheme with Appendix

Digital signature scheme with appendix rely on cryptographic hash function h. DSA, Elgamal [5] and Schnorr [10] signature schemes are such digital schemes. A prior knowledge of the message is required for the verification algorithm. In these signature schemes, a user A can

A REVIEW ON DIGITAL SIGNATURE SCHEMES / 395

produce a signature (a set of elements called signature space) for a message (a set of elements called message space), which can later be verified by any user B.
5.2. Digital Signature Scheme with Message Recovery

Digital signatures with message recovery have the feature that the message can be recovered from the signature itself. These schemes are useful for short messages. A prior knowledge of the message is not required for the verification algorithm. The RSA [ 4], Rabin [ 22] and Nyberg- Ruppel are such digital signature schemes. Most digital signature schemes with message recovery are applied to messages of a fixed length, while digital signature schemes with appendix are applied to messages of arbitrary length. Any digital signature scheme with message recovery can be converted into a digital signature scheme with appendix by simply hashing the message and than signing the hash value. 6. DIGITAL SIGNATURE SCHEMES A signature consists of three probabilistic polynomial algorithms:

Figure 6: Digital Signature Scheme

Key-Generator: It takes as input a security parameter k, and outputs a pair (sk, pk), where sk is secrete key of the user, and pk is the matching public key. Signature: This algorithm takes as input a message m and the secrete key sk and produces a signature . Verification: Finally, the verification algorithm takes as input a message m, a signature and the public key pk, and returns true if is a valid signature of m, and false otherwise. The following are the various digital signature schemes:
6.1. RSA Digital Signature Scheme [4]

The RSA signature scheme was the first digital signature scheme with message recovery. RSA digital signature scheme is one of the most practical and versatile techniques available.

396 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

The message space, signing space, signature space and cipher text space for this scheme belongs to Zn where n = pq is the product of two randomly chosen prime number.
6.2. Feige-Fiat-Shamir Signature Scheme [26, 27]

This is a signature scheme with appendix. This scheme requires a one way hash function. Unlike the RSA signature schem, all users use the same modulus n = pq. In this scenario the key distribution center would need to generate the primesa p and q and the secrete and public key for each user.
6.3. Elgamal Signature Scheme [5]

In August 1991, the US National Instittue of Standard and Technology (NIST) proposed a digital signature algorithm (DSA). The DSA has become a US Federal Informaation Processing Standard (FIPS 186) called the Digital signature Standard (DSS). DSS is the first digital signature scheme recognized by any government. DSA is a variant of Elgmal signature scheme.
6.4. Nyberg-Rueppel Digital Signature Scheme

The key generation for the Nyberg Rueppel signature is same as DSA key generation and the signing space is Ms = Zp*, p is prime and the signature space is S = ZpXZq, q is a prime and q divides (p 1).
6.5. Forward-Secure Digital Signature Scheme

A forward-secure digital signature scheme is, first of all, a key-evolving digital signature scheme. A key-evolving signature scheme is very similar to a standard one. Like a standard signature scheme, it contains a key generation algorithm, a signing algorithm, and a verification algorithm. The public key is left unchanged throughout the lifetime of the scheme, making the verification algorithm very similar to that of a standard signature scheme. Unlike a standard signature scheme, a key-evolving signature scheme has its operation divided into time periods, each of which uses a different (but related) secret key to sign a message. The way these keys are updated is given by a public update algorithm, which computes the secret key for the new time period based on that for the previous one. The forward security comes, in part, from the fact that this update function is one-way and, given the secret key for the current period, it is hard to compute any of the previously used secret keys. It is important, of course, for the signer to delete the old secret key as soon as the new one is generated, since otherwise an adversary breaking the system could easily get hold of these undeleted keys and forge messages for time periods preceding that of the break-in.
6.6. Rabin Signature Scheme

In 1979, Rabin [22] proposed a digital signature whose security is based on the difficulty of finding square roots modulo a composite number. Rabins scheme provides a fast signature

A REVIEW ON DIGITAL SIGNATURE SCHEMES / 397

verification, which only requires one calculation of the adopted one-way hash function, one multiplication and one addition modulo a composite number n, where n is the product of two large primes. Note that in Rabins scheme, the signer cannot generate the valid signatures for some messages if their corresponding signature equations are not solvable. Whenever the signature equation is solvable, it has four solutions (square roots) in which the signer can choose one of them as the signature of the message. Since then, several signature schemes derived from Rabins scheme have been proposed in the literature [23-29]. However, they require a large public key [23-25, 28], and need iterative checks to verify a signature [28, 29].
6.7. Nyang and Song Fast Digital Signature Scheme

Nyang and Song 1997, [30] proposed a fast digital signature scheme derived from Rabins scheme. The Nyang-Song scheme has the following characteristics: (i) all signature equations are solvable; (ii) it requires no more iterative checks for signature verification. Moreover, in the Nyang-Song scheme, each of the public key and the secret key is shortened to 2| n | bits, and it requires one calculation of the adopted one-way hash function and four modular multiplications (in Zn) for signature verification.
6.8. Wei-Hua He and Tzong-Chen Wu Digital signature scheme

Wei-Hua He and Tzong-Chen Wu 1997, [31] proposed an improvement to the Nyang-Song fast digital signature. The improvement achieves the same security level as the original Nyang-Song scheme, without increasing the cost of signature generation. The improvement preserves the characteristics inherent in the Nyang-Song scheme. In addition, it has two significant advantages: (i) it is faster for signature verification than the Nyang-Song scheme, since two modular multiplications are eliminated; (ii) each of the public key and the secret key for each user is shortened to |n | bits, while the Nyang-Song scheme needs 2|n | bits. However, the sue of a digital signature generated by the improvement is one bit longer than the original one.
6.9. Shaos Signature Schemes

Shao 1998, has proposed two digital signature schemes. Both schemes can be divided into key generation, signature generation and signature verification phases. Shaos first scheme is as follows
6.9.1. Key Generation

Shaos signature scheme requires each entity, who wants to sign messages, to generate the following system parameters: (a) a prime number p, where p = 4p1q1 + 1, p1 = 2p2 + 1, q1 = 2q2 + 1, and p1, p2, q1, q2 are all large primes; (b) an integer g Zp* (the multiplicative group of integer modulo p) of order p1q1.

398 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

The parameters p, g and product p1q1 are published publicly while p1, q1, p2 and q2 must be kept secretly from all users and they can be discarded once p and g are produced. Any user A chooses her/his secret key x (1 < x < p1q1 /2) and publishes her/his corresponding public key y = gx2 + x2 (mod p).
6.9.2. Signature Generation

The digital signature of a message m is (k, r, s), which is signed by user A as follows: (a) Randomly chooses an integer t such that 1 < t < p1q1 /2. (b) Compute r = gt2 + t2 (mod p). (c) Find s and k such that xs + x1r = mt + kt1(mod p1q1), x1s + xr = mt1 + kt (mod p1q1). If k is even, then to choose a new value for t and repeat steps a, b and c until k is odd.
6.9.3. Signature Verification

The signature (k, r, s) of a message m can be verified by the use of signers As public key y as follows. 1. Compute and check whether the following equation holds y(s2 + r2) = r(m2 + k2)g4(mk sr) (mod p). (1) Accept the validity of (k, r, s) if Eq. (1) holds. Shao claimed that both his schemes were unbreakable if one cannot simultaneously solve both factorization and discrete logarithm problems. However, Lee [32] showed that both Shaos signature schemes are, in fact, based only on the factorization problem.
6.10. Improved Shaos Signature Scheme

In 1998, Shao proposed two digital signature schemes and claimed that the security of which is based on the difficulties of computing both integer factorization and discrete logarithm. However, in 1999, Lee demonstrated that Shaos signature schemes can be broken if the factorization problem can be solved. H. F. Lin, Jenshiuh Liu and C. Y. Chen 2007 [33] proposed an improvement of Shaos signature schemes and showed that it can resist Lees attack. The proposed scheme is based on two hard problems. The security of our proposed scheme is based on the difficulties of computing integer factorization and discrete logarithm. The scheme can resist the following attacks: (1) the task for an attacker to try to recover the signers secret key from his public key is equivalent to solve both the discrete logarithm problem and the factorization problem; (2) the task of forging a valid signature for a message is at least equivalent to solve the discrete logarithm problem or the factorization problem; (3) the proposed scheme can resist substitution attack if the factorization problem is unsolvable; and (4) the proposed scheme is immune from

A REVIEW ON DIGITAL SIGNATURE SCHEMES / 399

homomorphism attacks. One disadvantage of the proposed scheme is that the signature needs some more computational effort and one more integer field compared to Shaos. Similar to Shaos schemes, each entity is responsible for generating the following system parameters: 7. DIGITAL SIGNATURE WITH ADDITIONAL FUNCTIONALITY There are many alternative digital signature schemes, which provide functionality of a situation beyond authentication and other properties. In these digital signature schemes, a basic digital signature scheme (e.g. the RSA, the Elgamal) is combined with a specific protocol to achieve the additional features which the basic method does not provide. According to the additional features, particular types of the realization of the digital signature work. Some well-known digital signature schemes with additional functionality are described below:
7.1. Multi Signature Scheme

In many commercial applications, the signature of more than one person is required on a document. When more than one key is required for signature, we call this signature as multi-signature [11-17]. These signatures are useful when a company issued cheques, which need to be authorized by more than one person. These signatures are also useful in case of contract, which are to be signed by their business partners.
7.2. Group Signature Scheme

Consider a group of people, in which every member of the group is authorized to sign the documents on behalf of the group. This type of signature is called as group signature [18, 19]. Group signature allows its members to sign message in such a way that: Only members of the group can sign the message The receiver of the signature can verify that it is a valid signature The receiver of the signature cannot identify which member of the group is the signer In case of disputes, later on either the group members together or a trusted authority can identify the signer.
7.3. Threshold Signature Scheme

A (t, n) threshold scheme [35-38] is a scheme to distribute a secrete key K into n users in such a way that any t user can cooperate to reconstruct K but a collision of t 1 or less users reveals nothing about the secrete.
7.4. Undeniable Signature Scheme

A undeniable signature [39-42], like a digital signature, is a number issued by a signer that depends on the message issued. Unlike a digital signature, an undeniable signature can only be verified with the help of the signer.

400 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

7.5. Blind Signature Scheme

The basic idea is that the sender A sends a piece of information to signer B which B signs and returns to A. For this signature, A can compute Bs signature on a prioro message of his choice. At the completion of the protocol, B knows neither the message nor the signer associated with it. The purpose of the blind signature is to prevent the signer B from observing the message it signs and the signature: hence, it is later unable to associate the signed message with the sender A.
7.6. Proxy Signature Scheme

Delegation of rights is a common practice in the real world. If a manager of a company goes on holiday, he has to delegate his deputy the capability to sign on behalf of the company. In the paper base world a cooperate seal is used for this purpose. A cooperate seal represents the organization, not the person has the authority to use the seal. 8. CONCLUSION The concept of public key cryptography was invented by Diffie and Hellman in 1976. Since then, several public key cryptographic algorithms based on single computationally hard problem, such as factorization or discrete logarithm problem, have been proposed. Although these algorithms appear secure today, it is very likely that that a clever cryptanalyst will discover some efficient ways to solve hard problem in future. In 1998 McCurley proposed a key distribution system based on double hard problem that is on both integer factorization problems. Since then, several cryptographic systems have been proposed that try to base their security on solving two or more hard problems simultaneously in order to enhance the security. In 1998, Shao also proposed a dual algorithm digital signature scheme with optimized computational and memory requirement. However Li and Xiao revealed that the two schemes were insecure. If one valid signature is known, one can forge a valid signature for a randomly chosen message. In 2007, Wei presented two improvements of Shaos signature schemes and showed that the new scheme can resist Li and Xiaos attack. Hence, the security of which were claimed to be based on the difficulties of computing integer factorization and discrete logarithm problems. H. F. Lin , C. Y. Gun and C. Y. Chen shoed that Weis schemes were still insecure without solving either factoring problem or discrete logarithm problem, one can forge a valid signature of an arbitrary message by using pollard and Schnorrs method.
References
[1] [2] G. .J. Simmons. Contemporary Cryptography: The Science of Information Integrity, IEEE Press, (1992). John W. Rittinghouse, and William M. Hancock, Cyber Security Operation Hand Book, Elsevier Digital Press, (2003).

A REVIEW ON DIGITAL SIGNATURE SCHEMES / 401

[3] [4] Whitfield Diffie, and Martin E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, 22(6), (1976), 644-654. Rivest R., A. Shamir, and L. Adleman, A Method for Obtaining Digital Signature and Public Key Cryptosystem, Commun. ACM., 21, (1978), 120-126. http://citeseerx.ist.psu.edu/viewdoc/summary? doi=10.1.1.40.5588. ElGamal T., A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithm, IEEE Trans. Inform. Theory IT, 31, (1985), 469-472, http://dsns.csie.nctu.edu.tw/research/crypto/ HTML/PDF/C84/10.PDF. V. Miller, Uses of Elliptic Curves in Cryptography, Proc of CRYPTO85, (1986), 417-426. N. Koblitz, Elliptic Curve Cryptosystems, Mathematics of Computation, (1987), 203-209. N. Koblitz, Hyperelliptic Cryptography, Journal of Crypto, (1989), 139-150. Tao LONG, and Xiaoxia LIU, Two Improvements to Digital Signature Scheme Based on the Elliptic Curve Cryptosystem, Proceedings of the 2009 International Workshop on Information Security and Application (IWISA 2009) Qingdao, China, (November 21-22, 2009), ISBN 978-952-5726-06-0.

[5]

[6] [7] [8] [9]

[10] H. Ong, C. Schnorr, and A. Shamir, An Efficient Signature Scheme Based on Quadratic Forms, In Proc. 16th ACM Symp. Theoretical Computer Science, (1984), 208-216. [11] Hard Jono T., and Zheng Y., A Practical Digital Multi-Signature Scheme Based on Discrete Logarithm, Advance in Cryptology Auscrypto 92 Springer and Verlag, (1992), 16-21. [12] Harn L., and Kiesler T., New Scheme for Digital Multi-Signature, Electronic Letters, 25(15), (1989), 1002-1003. [13] Harn L., (t, n) Threshold Signature and Digital Multi-Signature, Proceeding of Workshop on Cryptography & Data Security, Chung Cheng Institute of Technology, ROC, (1993), 61-73. [14] Harn L., Group Oriented (t, n) Threshold Signature Scheme and Digital Multi-Signature, IEEE, Proc Computer Digit Tech., 141(5), (1994), 307-313. [15] Hwang T., and Chen C. C., A New Proxy Multi-Signature Signature Scheme, International Workshop on Cryptography and Network Security, Taipei, (2001), 26-28. [16] Okamoto T., A Digital Multi-Signature Scheme Using Bijective PKC, ACM Transactions on Computer Systems, 6(8), (1988), 432-441. [17] Ohta K., and Okamoto T., A Digital Multi-Signature Scheme Based on Fiat- Shamir Scheme, Advance in Cryptology Asiacrypt 91, Springer and Verlag, (1991), 75-79. [18] Chaum D., Group Signatures, Advance in Cryptology-Eurocrypt 91, Springer Verlag, (1991), 257-265. [19] Chen L., and Pederson T. P., New Group Signature Signatures, Advance in Cryptology Eurocrypt 94, Springer Verlag, (1994), 171-181. [20] D. R. Stinson, Cryptography Theory and Practice, CRC Press, (1995). [21] X. Pan, A New Digital Signature Scheme Based on Elliptic Curve, Computer Systems and Applications, (2008), 35-37. [22] Rabin M. O., Digitalized Signatures and Public Key Functions as Intractable as Factorization, Tech. Rep., MITILCSITR-212, MIT Laboratory for Computer Science, MIT, Cambridge, MA, (1979). [23] Chang C. C., Jan J. K., and Kowng H. C., A Digital Signature Scheme L Based Upon the Theory of Quadratic Residues, Cryptologia, 21(l), (1997), 55-70. [24] Fan C. I., and Lei C. L., Efficient Blind Signature Scheme Based on Quadratic Residues, Electron. Lett., 32(9), (1996), 811-813.

402 / CHITRA G. DESAIL, MANISHA B. PATIL AND B. W. GAWALI

[25] Fan C. I., and Lei C. L., Low-Computation Blind Signature Schemesbased 011 Quadratic Residues, Electron. Lett., 32(17), (1996), 1569-1570. [26] Feige Fiaza, and Shamir A., Zero Knowledge Proofs of Identity, J. Cryptol., 1(2), (1988), 77-94. [27] Fiat A., and Shamir A., How to Prove Yourself: Practical Solutions to Identification and Signature Problem, Adv. Cryptol. CRYPT086, (Springer-Verlag, 1987), 186-194. [28] Harn L., and Kiesler T., I.m., Proved Rabins Scheme with High Efficiency, Electron. Lett., 25(1l), (1989), 726-728. [29] Shimada M., Another Practical Public-Key Cryptosystem, Electron. Lett., 28(23), (1992), 2146-2147. [30] Nyang D., and Song J., Fast Digital Signature Scheme Based on the Quadratic Residue Problem, Electron. Lett., 33(3), (1997), 205-206. [31] Wei-Hua He., and Tzong-Chen Wu., Improvement to Nyang-Song Fast Digital Signature Scheme, IEE 1997 Electronics Letters Online No: 19971243. [32] N. Lee, Security of Shaos Signature Schemes Based on Factoring and Discrete Logarithms, In IEE Proceedings on Computer Digital Techniques, 146, (1999), 119-121. [33] H. F. Lin, Jenshiuh Liu, and C. Y. Chen, Improved Shaos Signature, Journal of Information Science And Engineering, 23, (2007), 285-298. [34] James H. Burrows, Digital Signature Standard (DSS), In: Federal Information Processing Standards Publication, 186, 1-5, Fips Pub 186, Computer Systems Laboratory, National Institute of Standards and Technology, (1994). [35] Desmedt Y., Society and Group Oriented Cryptography, Advances in Cryptology Crypto 87, Springer Verlag, (1988), 120-127. [36] Desmedt Y., and Frankel Y., (1990), Threshold Cryptosystems, Advances in Cryptology Crypto 89, Springer Verlag, LNCS # 293, (1990), 307-315. [37] Desmedt Y., and Frankel Y., (1991), Shared Generation of Authenticators and Signatures, Advances in Cryptology Crypto 91, Springer Verlag, (1991), 457-469. [38] Desmedt Y., (1994), Threshold Cryptography, European Transactions on Telecommunications and Related Technologies, 5(4), (1994), 35-43. [39] Boyar J., Chaum D., Damgard I., and Pederson T., Convertible Undeniable Signatures, Advances in Cryptology Crypto 90, Springer Verlag, LNCS # 537, (1990), 189-205. [40] Chaum D., and Van Autwerpan H., Undeniable Signatures, Advance in Cryptology Eurocrypt 89, Springer Verlag, (1989), 212-216. [41] Chaum D., Zero Knowledge Undeniable Signatures, Advance in Cryptology Eurocrypt 90, Springer Verlag, LNCS # 473, (1990), 458-464. [42] Chaum D., Designed Confirmer Signatures, Advance in Cryptology Eurocrypt 94, Springer Verlag, LNCS # 950, (1995), 86-91.