A note on digital signature scheme using a self-pairing map

doi:10.1016/j.amc.2004.10.049

Applied Mathematics and Computation

Volume 169, Issue 1, 1 October 2005, Pages 472-475

https://doi.org/10.1016/j.amc.2004.10.049 Get rights and content

Abstract

Recently, Lee proposed a notion of self-pairing map and presented two cryptographic applications: one is a key agreement scheme and the other is a digital signature scheme. In this paper, we show that the self-pairing map of Lee is not applicable to the suggested applications and that the signature scheme is even totally broken.

Introduction

Bilinear maps such as the Weil/Tate pairing are well-known functions defined on elliptic curves and very useful in cryptography [2]. In general, a bilinear map is of the type G₁ × G₁ → G₂, where G₁ and G₂ are different groups. Recently, Lee proposed a self-pairing map which is bilinear and G₁ = G₂ on finitely generated free R-modules of rank two, where R is a commutative ring with identity, and applied it to the elliptic curve based cryptographic schemes: Key agreement and Digital signature [3]. Each scheme is a variant of ECDH and ECDSA, respectively [1]. In this paper, we show that the digital signature scheme using the self-pairing map is totally broken and also remark that the self-pairing map proposed in [3] is not a necessary factor for suggested cryptographic applications.

Section snippets

Review of Lee’s signature scheme

Let K be a finite field with characteristic p. Let E be an elliptic curve over $\bar{K}$ , where $\bar{K}$ is an algebraic closure of K, and let $O$ be the point at infinity of E. Since the n-torsion subgroup of E for n relative prime to p is equivalent to $Z_{n} \oplus Z_{n}$ , there is a generating pair {S, T} of E[n]. Consider elements P = a₁S + b₁T and Q = a₂S + b₂T, where $a_{1}, a_{2}, b_{1}, b_{2} \in Z_{n}$ . Then for some fixed integers $α, β \in Z_{n}$ , a self-pairing map $L_{α, β}^{n} : E [n] \times E [n] \to E [n]$ is defined by $L_{α, β}^{n} (P, Q) = (a_{1} b_{2} - b_{1} a_{2}) (α S + β T) .$

This map satisfies the

A security flaw of the signature scheme

Lee’s digital signature scheme is a variant of ECDSA [1]. The author asserts in [3, p. 677] that this signature scheme is more efficient than ECDSA because only one random factor is used. But this improvement does not guarantee the security of the scheme. We can easily get the unique secret random factor a of the signer from the signature (r, s). Since anyone can compute $H (m) \in Z_{l}$ and (r, s) is given, the equation $x = s^{- 1} (H (m) + r) \mod l$ can be solved directly. The solution of this equation is the secret

References (3)

H.-S. Lee
A self-pairing map and its applications to cryptography
Appl. Math. Comp.
(2004)

There are more references available in the full text version of this article.

Cited by (1)

Research on downstream encryption scheme based on timestamp in GEPON network
2012, Journal of Networks

View full text