A Signature Algorithm Based on DLP and Computing Square Roots

In this work, we present a new digital signature protocol based on the discrete logarithm problem and computing square roots modulo a large composite number. This method can be used as an alternative if known systems are broken.

The article is arranged as follows. In the next section, we expose ElGamal signature and one of its variants. We devote the third section to describe our contribution and to analyze the security issue. The conclusion is given in the fourth section.
In the sequel, we use ElGamal paper notation. is the set of integers. For every positive integer , we denote by the finite ring of modular integers and by the multiplicative group of its invertible elements. Let and be three integers, we write if divides the difference , and when is the remainder of the division of by .

Elgamal Signature Protocol
In this section we recall ElGamal signature scheme [2], in three steps.
Electronic copy available at: https://ssrn.com/abstract=3517201 Step 1. Alice chooses three numbers: -, a large prime integer. -, a primitive root of the finite multiplicative group . -, a random element of .
Then she computes . Parameters and are respectively Alice public and private key.
Step 2. To sign a message , Alice needs to solve the equation: (1) where are the unknown variables.
Alice fixes arbitrarily to be , where is chosen randomly and invertible modulo . Equation (1) is then equivalent to: (2) As Alice knows the secret key , and as the integer is invertible modulo , she computes the other unknown variable .
Step 3. Bob can verify the signature by checking that congruence (1) is valid for the variables and given by Alice.
In the next section, we describe briefly a digital signature protocol that was conceived by one of the authors in 2011 [4].

Variant of ElGamal Signature Protocol
Let , where is a secure hash function (e.g., SHA1 [6,10]), and the message to be signed by Alice.
The modulo is a large prime integer. Element is a primitive root of the finite multiplicative group . Number is calculated by , where is chosen randomly in .
The variant [4] is based on the equation: Parameters are unknown and is Alice public key. To Solve (3), Alice fixes arbitrarily to be , and s to be , where are selected randomly in . Equation (3) is then equivalent to: Electronic copy available at: https://ssrn.com/abstract=3517201 Alice knows the values of and , she can compute the third unknown variable . Bob verifies the signature by checking the congruence (3).
This scheme has the advantage that it does not use the extended Euclidean algorithm for computing . Now, we move to our contribution.

OUR SIGNATURE PROTOCOL
In this section we propose our contribution and analyze its security

Description of the Protocol
Let be a prime integer in the form , where and are two distinct primes such as and . Alice public key is , where α is a primitive root of the finite multiplicative group . Let , Alice must keep secret. The parameters and constitute Alice private key. We propose the following new protocol: To sign the hash of a message , Alice has to give a solution of the equation: We have Alice will use the Chinese remainder theorem to calculate t from (6), provided that the expression is a quadratic residue modulo and modulo , which can be verified by using Legendre symbol [10].
Let us illustrate the method by the following example.

Example
Suppose that Alice private key is . So . We take the primitive element modulo as so . Thus the public key is .
Let and be two random exponents chosen by Alice. We have and .
To sign the hash of a message , Alice will need equation (6) to get the third element of the signature.
We have: By using the Chinese remainder theorem, Alice finds four valid values for . Then, she chooses for example .
If we replace and in equation (5) we can verify that is a valid solution. Therefore, Alice signature for the message is . Now, we analyze the security of our protocol.

Security Analysis
In this section we discuss four possible attacks. Assume that Oscar is Alice opponent.

Attack 1:
a) If Oscar fixes and , he cannot obtain from equation (5) because, knowing the right part of the equivalence, he has to solve discrete logarithm problem to get . And if he succeeded, he would have to calculate the square root of modulo the large prime A task that seems to be as hard as factoring (see [6,8,10]). b) If he fixes and in order to get , then, formula (5) is equivalent to , for which, there is no known way to determine . Oscar cannot use equation (6) as long as he ignores the value of kept secret by Alice. c) If he fixes and and wants to get , then, from formula (5) we have , and there is no known way to determine from this equivalence. Oscar cannot use equation (6) as long as he ignores the value of kept secret by Alice.

Attack 2:
If Oscar takes Alice's signature of a message M, and tries to acquire . From equation (6) we have , calculating from this equivalence is impossible, because and remain unknown.

Attack 3:
Assuming Oscar is able to solve the discrete logarithm problem [2]. So he can find Alice private exponent , therefore, computes from equation (6). However, calculating from the modular equation is believed to be as hard as factoring the large composite number (see [6,8,10]) Attack 4: Assuming Oscar is able to solve Rabin modular equation , where is the unknown variable. He would like to exploit relation (6) to find . But, he needs , and to have he must solve a discrete logarithm problem, since .

Complexity of our Scheme
As in reference [3], let , and be respectively the time to perform a modular multiplication, a modular exponentiation and to compute the hash of a message . The time needed for operations such as comparison, modular addition and substraction is ignored. We make the conversion .
Generating a signature requires six modular exponentiations, three modular multiplications and one hash function computation. The estimated time for signing a message is: To verify a message, Bob needs to perform five modular exponentiations, two modular multiplications and one hash function computation. The estimated verification time is:

CONCLUSION
In this paper we presented a new digital signature method. It is based on two hard equations: discrete logarithm problem and computing square root modulo a large integer. We also discussed its security and complexity.

ACKNOWLEDGEMENTS
This work is supported by MMSy e-Orientation project.