A Specifiable-Verifier Group-Oriented Threshold Signature Scheme Based on the Elliptic Curve Cryptosystem

全文

(1)2002 International Computer Symposium (ICS2002). (1) Name of the workshop：Workshop on Cryptology and Information Security (2) Title of the paper：A Specifiable-Verifier Group-Oriented Threshold Signature Scheme Based on the Elliptic Curve Cryptosystem (3) A short abstract：Aimed at the group-oriented threshold signature, the research is devoted. to. the. specifiable-verifier. group-oriented cryptosystem.. characteristic. in. a. In light of the characteristic,. the group of signers is provided with the limits of authority to specify the group of verifiers.. Moreover, the elliptic curve. cryptosystem is applied to the integration with the proposed scheme due to the superiority of low-amount operation, so that the performance can be raised to be more efficient than that by the other algorithms. (4) Name：Tzer-Shyong Chen, Gwo-Shiuan Huang, Yu-Fang Chung, and Nien-Tzu Chang Current affiliation：Department of Computer Science and Information Engineering, Da-Yeh University Postal address：Department of Computer Science and Information Engineering, Da-Yeh University, 112 Shan-Jiau Rd, Da-Tsuen, Changhua, Taiwan 515, R.O.C. E-mail address：[email protected] Telephone number：0923696355 (5) Name of the contact author：Tzer-Shyong Chen (6) A list of keywords：threshold signature, elliptic curve cryptosystem, elliptic curve discrete logarithm problem, cryptography. 0.

(2) A Specifiable-Verifier Group-Oriented Threshold Signature Scheme Based on the Elliptic Curve Cryptosystem Tzer-Shyong Chen. Gwo-Shiuan Huang*. Yu-Fang Chung *. Nien-Tzu Chang *. Department of Information management, Tunghai University, Taichung, Taiwan 40744, R.O.C. * Department of Computer Science and Information Engineering, Da-Yeh University E-mail: [email protected]. Abstract Aimed at the group-oriented threshold signature, the research is devoted to the specifiable-verifier characteristic in a group-oriented cryptosystem.. In light of the. characteristic, the group of signers is provided with the limits of authority to specify the group of verifiers.. Moreover, the elliptic curve cryptosystem is applied to the. integration with the proposed scheme due to the superiority of low-amount operation, so that the performance can be raised to be more efficient than that by the other algorithms. Key words: threshold signature, elliptic curve cryptosystem, elliptic curve discrete logarithm problem, cryptography. 1. Introduction The concept of group-oriented cryptography, initiated by Desmedt [1] in 1987, is devoted to the research for the secure communication between the contrasts of groups. Moreover, the group-orient schemes of further applications are developed into the threshold signature ones.. In the case of the application of the perfect secret sharing. scheme [2] by Shamir, Harn [3] originated to construct a (t, n) threshold signature. 1.

(3) scheme based on the property of Lagrange Polynomials.. The so-called (t, n). threshold signature scheme means that only t members of a n-member group enables to represent the whole group and give the valid signature in the name of the group, in which t is a threshold value located from 1 to n (1 ≤ t ≤ n).. In the recent years,. lots of related research [4-10] is proposed. However, some of these schemes allow anyone to play the role of verifier for the signature.. A (t, n) threshold signature. scheme with (k, l) threshold shared verification [11] later is presented by Wang et al. to specify the verifier.. In other words, one disables to verify the group signature. unless he is the specific verifier.. For the scheme by Wang et al., k of a specific l-. verifier group enables to act for the verification of group signature, in which k is a threshold value located in the scope from 1 to l(1 ≤ k ≤ l).. Later in 2002, the. scheme is shown to violate the requirements for the (k, l) threshold shared verification by Hsu et al. [12]. That is, an attacker can verify the validity of the group signature alone without the favor of the others in the group of verifiers.. Besides, Hsu pointed. that the private key of the signer can be easily retrieved from the individual signature for a message. For solving these two secure leaks, an improvement was proposed by Hsu.. The improvement inclines the solution to randomly select a number. through a system center (SC) so that the above-mentioned weaknesses can be successfully prevented.. However, an additional operation through the SC for each. generation of individual signature is inefficient for performance. Therefore, a new scheme is proposed in the research to achieve both security and efficiency based on the elliptic curve cryptosystem[13-16], and succeeding in omitting the additional operation by the SC in the generation phase of individual signature. In the following, the introduction to the scheme by Hsu is briefly discussed for the contrast in Section 2.. Section 3 surveys the proposed scheme with special. 2.

(4) emphasis on the elliptic curve cryptosystem.. Section 4 analyses the security and. efficiency of the proposed scheme presented in the previous two Sections.. Section 5. furnishes the conclusions.. 2. Review of the Scheme by Hsu In the section, the scheme by Hsu is briefly introduction to the related concepts. The scheme requires for a system center (SC) in charge of the generations of system parameters, individual/group private keys, and individual/group public keys.. Firstly,. let Gs = {us1 , us 2 ,K, usn } be denoted as the n-signer group, and Gv = {uv1 , uv 2 , K, uvl } be denoted as the l-verifier group. Any t members of the n-signer group enable to give the valid signature for the signer group Gs, and any k members of the l-verifier group enable to verify the validity of the received group signature for the verifier group Gv. Then, these t signers jointly elect a clerk (CLK) from themselves to validate all individual signatures and to combine the t valid individual signatures into a group signature.. The procedure of performance contains the following three. phases: Parameter Generation Phase, Individual Signature Generation and Verification Phase, and Group Signature Generation and Verification Phase. 2.1 Parameter Generation Phase The SC determine the required parameters and keys according to the following: (1) two large primes p and q, where q︱p-1; (2) a generator g with order q over GF(q); (3) a one-way hash function h; (4) two secret polynomials f s ( x) = at −1 x t −1 + at − 2 x t − 2 + L + a1 x + a0 mod q and f v ( x) = ck −1 x k −1 + ck − 2 x k − 2 + L + c1 x + c0 mod q , where 3. ai , c j ∈ [1, q − 1].

(5) for i = 0,1,2,K, t − 1 and j = 0,1,2,K, k − 1 ; (5) a group private key f s (0) = a0 and a group public key Ys = g f s ( 0) mod p for Gs, and a group private key f v (0) = c0 and a group public key Yv = g fv ( 0) mod p for Gv;. (6) an individual private key f s ( xsi ) and public key y si = g f s ( xsi ) mod p for each signer usi in Gs, in which i = 1,2,K, n and xsi is the public values associated with each signer usi; (7) an individual private key f v ( xvi ) and public key y vi = g f v ( xvi ) mod p for each verifier uvi in Gv, in which i = 1,2,K, l and xvi is the public values associated with each signer uvi. Then, the SC declares the system parameters p, q, g, h, ysi (for i = 1,2,K, n ), yvi (for i = 1,2,K, l ), Ys, and Yv public. 2.2 Individual Signature Generation and Verification Phase The SC firstly select the required functions and parameters, as follows: (1) a secret polynomial f b ( x) = bt −1 x t −1 + bt − 2 x t − 2 + ... + b1 x + b0 mod q , where bi ∈ [1, q − 1] for i =0, 1, 2,…, t-1; (2) a secret value f b (0) = b0 and a public value Yb = g f b ( 0) mod p for Gs; (3) a secret value f b ( xsi ) and a public value ybi = g f b ( x si ) mod p for each signer usi in Gs, in which i = 1,2,K, n . It is noteworthy that fb(0), Yb, fb(xsi), and ybi are all random numbers changeable in different time of signature. Assume that there are t signers ( u s1 , us 2 ,K, u st ).. 4. In order to give a valid.

(6) signature for a message m, each of usi ( i = 1,2,K, t ) uses his private key f s ( xsi ) , the group public key Yv of Gv, and the random integer fb(xsi) to compute the commitment value, as follows: 0 − xsj. t. ∏. ( f b ( x si ) + f s ( xsi )). rsi = Yv. j =1, j ≠ i. xsi − x sj. mod p. Then, each of the t signers sends the rsi to the other associates via a secure channel. After receiving all rsi ( i = 1,2,K, t ), each of usi ( i = 1,2,K, t ) computes r and si, as follows: t. r = ∏ rsi mod p i =1. t. 0 − x sj. j =1, j ≠ i. x si − x sj. si = h(m) f s ( x si ) ∏. t. 0 − x sj. j =1, j ≠ i. x si − x sj. − rf b ( x si ) ∏. mod q. where r can be regarded as the common session key between the groups of Gs and Gv t. t. because r = ∏ rsi = ∏ Yv i =1. t. 0 − x sj. j =1, j ≠ i. xsi − x sj. ( f b ( xsi ) ∏. t. 0 − x sj. j =1, j ≠ i. x si − xsj. + f s ( x si ) ∏. ). = Yv( fb ( 0) + f s ( 0)) = g f. v ( 0) f b (0 ). g f v ( 0) f s ( 0). i =1. = Yb f v ( 0) Ys f v ( 0) (mod p ) .. After that, usi sends si, which is regarded as the individual signature for m, to the CLK who then verifies the validity of si according to the equality: t. h(m). ysi. ∏. j =1, j ≠i. 0 − x sj x si − x sj. t. ?. r. = g ybi si. ∏. j =1, j ≠ i. 0 − x sj x si − x sj. (mod p ). If the equality is certifiable, then the individual signature si can be verified to be valid. 2.3 Group Signature Generation and Verification Phase If these t individual signatures are all verified to be valid, the CLK computes the group signature for m, as follows:. 5.

(7) t. s = ∑ s i mod q i =1. Then, he sends the group signature to the group Gv. For verifying its validity, each verifier of uvi ( i = 1,2,K, k ) firstly computes as follows: k. rvi = (YsYb ). f v ( x vi ). ∏. j =1, j ≠i. 0 − x vj x vi − x vj. mod p. Then, every verifier sends it to the other associates via a secure channel.. Upon all of k. the receiving rvi ( i = 1,2,K, k ), each associated verifier computes r = ∏ rvi mod p . i =1. Afterwards, the validity of the group signature s for m can be verified according to the following equality: ?. Ysh ( m ) = g sYbr (mod p ). If the equality can be satisfied, the group signature is valid.. 3. The Proposed Scheme Herein is the introduction to the proposed scheme. The scheme requires for a system center (SC) to execute the generation of the necessary parameters of the system and users.. Let a group of n signers be indicated as Gs = {us1 , u s 2 ,K, u sn } , in. which a association of any t members ( 1 ≤ t ≤ n ) can give a valid group signature for a message in the name of the whole group, and let a group of l verifiers be indicated as Gv = {uv1 , uv 2 , K, uvl } , in which a association of any k members ( 1 ≤ k ≤ l ) can verify the validity of the received group signature for the whole verifier group. Then, these t signers jointly elect a clerk (CLK) from themselves to validate all individual signatures and to combine the t valid individual signatures into a group 6.

(8) signature.. The procedure of the performance is concluded into three phases:. Parameter Generation Phase, Individual Signature Generation and Verification Phase, and Group Signature Generation and Verification Phase. 3.1 Parameter Generation Phase The SC is responsible for the generation of the required parameters of the system and the keys of the users. The generation phase is as follows: (1) a field size p, which is a large odd prime; (2) two field elements a and b ∈ Fp to define the elliptic curve equation E over Fp, (i.e. y 2 = x 3 + ax + b (mod p) where p > 3 and 4a 3 + 27b 2 ≠ 0 (mod p) );. (3) a finite point G = (xg, yg) whose order is a large prime number over E(Fp), where G ≠ Ο (It is because Ο denotes an infinite point); (4) the order of G = q ; (5) a one-way hash function h; (6) two secret polynomials f s ( x) = at −1 x t −1 + at − 2 x t − 2 + L + a1 x + a0 mod q and f v ( x) = ck −1 x k −1 + ck − 2 x k − 2 + L + c1 x + c0 mod q , in which ai , c j ∈ [1, q − 1]. for i = 0,1,2,K, t − 1 and j = 0,1,2,K, k − 1 ; (7) a group private key f s (0) = a0 and a group public key Ys = f s (0)G for Gs, and a group private key f v (0) = c0 and a group public key Yv = f v (0)G for Gv; (8) an individual private key f s ( xsi ) and public key ysi = f s ( xsi )G for each signer usi in Gs, in which i = 1,2,K, n and xsi is the public values associated with each signer usi; (9) an individual private key f v ( xvi ) and a public key yvi = f v ( xvi )G for each 7.

(9) verifier uvi in Gv, in which i = 1,2,K, l and xvi is the public values associated with each signer uvi. Then, the SC declares the system parameters p, E, G, q, h, ysi (for i = 1,2,K, n ), yvi (for i = 1,2,K, l ), Ys, and Yv public. 3.2 Individual Signature Generation and Verification Phase. Assume that there are t signers ( us1 , us 2 ,K, ust ).. In order to give a valid. signature for the message m, each of usi ( i = 1,2,K, t ) generates the individual signature, as follows: Step 1: Randomly select an integer bsi ∈ [1, q − 1] to compute Bsi = bsiG in which Bsi is a point, and sends the Bsi to the other associates through a broadcast channel; Step 2: Combine all received Bsi ( i = 1,2,K, t ) to obtain the B, as follows: t. B = ∑ B si = ( xb , y b ) i =1. Step 3: Compute the following commitment value rsi which is a point using the private key fs(xsi), the group public key Yv of Gv, and the random integer bsi, then send rsi to the other associates through a secure channel; rsi = (bsi + f s ( xsi ). 0 − xsj )Yv j =1, j ≠ i xsi − xsj t. ∏. Step 4: Respectively derive the common session key r of Gs and of Gv using all of the received rsi ( i = 1,2,K, t ) so as to respectively generating the individual signature si which is a point both and send si to the CLK, in which t. r = ∑ rsi = ( xr , yr ) i =1. 8.

(10) 0 − xsj − xr bsi mod q , j =1, j ≠ i xsi − xsj t. ∏. si = xb h(m) f s ( xsi ). where the session key r is achieved due to the following equality: t. t. t. i =1. i =1. i =1. r = ∑ rsi = ∑ bsi Yv + ∑ f s ( x si ). t. 0 − x sj. j =1, j ≠ i. x si − x sj. ∏. Yv = f v (0) B + f v (0)Ys. After receiving all individual signatures for the message m, the CLK has to verify the validity of each signature through the following determinant equality: xb h(m). t. 0 − xsj. j =1, j ≠i. xsi − xsj. ∏. ?. ysi = si G + xr Bsi. If the equality is certifiable, then the individual signature si can be verified to be valid.. Theorem 1: If the individual signature indeed results from the valid signer, then the. signature verification equality holds. [Proof]. si = xb h(m) f s ( x si ). t. 0 − x sj. j =1, j ≠ i. x si − x sj. ∏. ⇔ si G = xb h(m) f s ( x si ). ⇔ s i G = x b h( m). ⇔ x b h ( m). 0 − x sj. j =1, j ≠ i. x si − x sj. ∏. 0 − x sj. j =1, j ≠ i. x si − x sj. t. 0 − x sj. j =1, j ≠ i. x si − x sj. ∏. t. t. ∏. − x r bsi mod q. G − x r bsi G. y si − x r Bsi. y si = s i G + x r B si. 3.3 Group Signature Generation and Verification Phase. If all of the t individual signatures are shown as valid, the CLK computes the group signature s for the message m so as to sending it to the verifier group Gv, as 9.

(11) follows: t. s = ∑ si mod q i =1. At the same time, the CLK also has to declare the B public.. While the. verification group Gv intends to verify the received group signature s, any k verifiers can verify it for the whole verifier group.. Each verifier of uvi ( i = 1,2,K, k ). computes a commitment value rvi using the private key fv(xvi), public parameter B, and group public key Ys of Gs, then sends the rvi to the other associates through a secure channel, in which rvi = f v ( xvi ). k. 0 − xvj. j =1, j ≠ i. xvi − xvj. ∏. ( B + Ys ). For verifying the validity of the group signature for the message m, each associated verifier computes r after receiving all rvi ( i = 1,2,K, k ), as follows: k. r = ∑ rvi = ( xr , yr ) i =1. If the following determinant equality can be certifiable, then the group signature for the message m can be verified to be valid: ?. xb h(m)Ys = sG + xr B. Theorem 2: If the group signature indeed results from the valid signer group, then. the signature verification equality holds. [Proof]. si = xb h(m) f s ( x si ). t. 0 − x sj. j =1, j ≠ i. x si − x sj. ∏. ⇔ si G = xb h(m) f s ( x si ). − x r bsi mod q. t. 0 − x sj. j =1, j ≠ i. x si − x sj. ∏. 10. G − x r bsi G.

(12) t. t. i =1. i =1. ∑ si G = ∑ ( xb h(m) f s ( x si ). ⇔. t. 0 − x sj. j =1, j ≠ i. x si − x sj. ∏. t. G ) − ∑ ( x r bsi G ) i =1. ⇔ sG = xb h(m)Ys − x r B ⇔ xb h(m)Ys = sG + x r B. 4. Estimation of Security and Performance 4.1 Analyses of Security. The security of the proposed scheme is based on the difficulty by the elliptic curve discrete logarithm problem (ECDLP).. The following are the analyses aimed. at the possible attacks and the factors why the proposed scheme enables to overcome. (1) Plaintext Attack The so-called plaintext attacks can be formed from different ways, such as the derivation of individual private keys f s ( xsi ) and f v ( xvi ) using the individual public keys ysi = f s ( xsi )G and yvi = f v ( xvi )G , and the derivation of the group private keys fs(0) and fv(0) using the group public keys Ys = f s (0)G and Yv = f v (0)G . Besides, an attacker can force to derive the signer’s private key fs(xsi) or the verifier’s private key fv(xvi) according to the commitment value rsi = (bsi + f s ( xsi ). k 0 − xvj 0 − xsj or r f x ) Y = ( ) ( B + Ys ) . Such kinds ∏ vi v vi ∏ v j =1, j ≠ i xsi − xsj j =1, j ≠ i x vi − x vj t. of solutions are infeasible under the defense of the ECDLP. (2) Forgery Attack Assume that an attacker forge a group signature s to make the following determinant equality certifiable. Such an attack is to randomly select xr, h(m), and the point B = (xb, xb) so as to deriving the value of s which can satisfy the determinant 11.

(13) equality. However, the difficulty of the derivation is concluded to the solution of the ECDLP so it is infeasible. ?. xb h(m)Ys = sG + xr B. (3) Equation Attack Assume that an attacker intends to derive the private key fs(xsi) of the signer through the following the individual signature: si = xb h(m) f s ( xsi ). 0 − xsj − xr bsi mod q j =1, j ≠ i xsi − xsj t. ∏. Such kinds of solution are infeasible because these two data fs(xsi) and bsi in the equality are secret and unknown to any others. 4.2 Analyses of Performance. In the scheme [12] by Hsu, whenever the signer group signs a message in the individual signature generation and verification phase, the SC must assign the group with a secret polynomial fb(x) so as to computing a secret value fb(xsi) and a public value ybi = g f b ( x si ) mod p .. Note that these two values should be different for. different time of signature to avoid the individual private key fs(xsi) from being easily derived. However, the same phase in the proposed scheme no longer asks for the participation of the SC. In the below, for the convenience to make a comparison, a contrast aimed at the analyses of performance between the scheme by Hsu and that by us is presented. Table 1 is the definitions of the given notations, and Table 2 shows the comparison of different operations.. Then, the required time complexity in the. different phases is estimated in Table 3, so that the efficiency in performance can be specifically analyzed.. 12.

(14) Table 1: Definitions of Notions Notations TMUL TEXP TADD. Definitions the time for the modular multiplication the time for the modular exponentiation the time for the modular addition. TINV. The time for the modular inversion the time for the multiplication of a number and an elliptic curve point the time for the addition of two points in an elliptic curve. TEC_MUL TEC_ADD. According to the following conditions, the time complexity for the different operations can be roughly united into the multiplication operation [17][18]: gx mod p, where p is a 1024-bit prime and x is a random 160-bit. -. integer. k×B is given, where B∈E(Zp), E is an elliptic curve defined over Zp,. -. p≈2160, and k is a random 160-bit integer. Thus, a comparison between different kinds of operations and multiplication operation is given, as follows:. Table 2: Comparison Between the Other Operation and Multiplication Operation TEXP ≈ 240TMUL TEC_MUL ≈ 29TMUL TEC_ADD ≈ 0.12TMUL TADD is negligible. Table 3: Estimation of Performance Aimed at Time Complexity Scheme by Hsu Items Parameter Generation Phase. Scheme by us. Time Complexity. Roughly Estimation. Time Complexity. Roughly Estimation. (n+l+2) TEXP. 240(n+l+2) TMUL. (n+l+2) TEC_MUL. 29(n+l+2) TMUL. 13.

(15) Individual Signature Generation and Verification Phase. 5 TEC_MUL. (n+5) TEXP + (7t-3) TMUL (240n+7t+1197)TMUL + (6t-4) TADD. + (3t-3) TINV. + (3t-3) TINV. + 2 Hashing. + 2 Hashing. 4 TEXP Group + (3k-1) TMUL Signature Generation and +(t+2k-3)TADD + (k-1) TINV Verification + 1 Hashing Phase. + (2t-1) TEC_ADD + (6t-2) TMUL + (6t-4) TADD + (3t-3) TINV. (6.24t+142.88)TMUL + (3t-3) TINV + 2 Hashing. + 2 Hashing 4 TEC_MUL (3k+959) TMUL + (k-1) TINV + 1 Hashing. + (k+1) TEC_ADD + (2k-1) TMUL + ( t+2k-3) TADD + ( k-1) TINV. (2.12k+115.12)TMUL + (k-1) TINV + 1 Hashing. + 1 Hashing. 5. Conclusions The proposed group-oriented threshold signature scheme achieves the ability to specify the verifier group. Except for the specific group, no one enables to verify the group signature.. Such a characteristic can be fit to some certain situation.. Moreover, the integrated application with the elliptic curve causes the cryptosystem secure and efficient.. 6. Acknowledgement This work was supported partially by National Science Council of Republic of China under Grants NSC 90-2213-E-129-003.. References [1] Y. Desmedt, Society and Group Oriented Cryptography: A New Concept, “Advances in Cryptology, Proc. Of Crypto’87,” 1987, pp.120-127. [2]. A. Shamir, How to Share a Secret, “Commun. ACM,” Vol. 22, 1979, pp. 14.

(16) 612-613. [3]. L. Harn, Group-Oriented (t, n) Threshold Signature and Digital Multisignature, “IEE Proc.-Comput. Digit. Tech.,” Vol. 141, No. 5, 1994, pp. 307-313.. [4] C.C. Chang, J.J. Leu, P.C. Hwang, and W.B. Lee, A Scheme for Obtaining a Message from the Digital Multisignature, “International Workshop on Practice and Theory Public Key Cryptography,” Springer-Verlag, 1998, pp. 154-163. [5]. L. Harn, Digital Signature with (t, n) Shared Verification Based on Discrete Logarithms, “Electron. Lett.,” Vol. 29, No. 24, 1993, pp. 2049-2095.. [6] P. Hoster, M. Michels, and H. Peterson, Comment: Digital Signature with (t, n) Shared Verification Based on Discrete Logarithms, “Electron. Lett.,” Vol. 31, No. 14, 1995, pp. 1137. [7] S.J. Hwang, C.C. Chang, and W.P. Yang, Authenticated Encryption Schemes with Message Linkage, “Inf. Process. Lett.,” Vol. 58, 1996, pp. 189-194. [8]. W.B. Lee and C.C. Chang, Comment: Digital Signature with (t, n) Shared Verification Based on Discrete Logarithms, “Electron. Lett.,” Vol. 31, No. 3, 1995, pp. 176-177.. [9] W.B. Lee and C.C. Chang, Authenticated Encryption Scheme Without Using a One-Way Function, “Electron. Lett.,” Vol. 31, No. 19, 1995, pp. 1656-1657. [10] C.M. Li, T. Hwang, and N.Y. Lee, Threshold Multisignature Scheme Where Suspected Forgery Implies Tractability of Adversarial Shareholders, “Advances in Cryptology, Proc. of Eurocrypt ’94,” 1995, pp. 194-203. [11] C.T. Wang, C.C. Chang, and C.H. Lin, Generalization of Threshold Signature and Authenticated Encryption for Group Communications, “IEICE Trans. Fundamentals,” Vol. E83-A, No. 6, 2000, pp. 1228-1237.. 15.

(17) [12] C.L. Hsu, T.S. Wu, and T.C. Wu, Improvements of Generalization of Threshold Signature and Authenticated Encryption for Group Communications, “Inf. Process. Lett.,” Vol. 81, 2002, pp. 41-45. [13] V.S. Miller, Uses of Elliptic Curves in Cryptography, “Advances in Cryptology-CRYPTO’85, Proceedings, Lecture Notes in Compute Science, New York, NY: Springer-Verlag,” No. 218, 1985, pp. 417-426. [14] N. Koblitz, Elliptic Curve Cryptosystems, “Mathematics of Computation,” Vol. 48, 1987, pp. 203-209. [15] A.J. Menezes, T. Okamoto, and S.A. Vanstone, Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field, “IEEE Transactions on Information Theory,” Vol. 39, 1993, pp. 1639-1646. [16] J.S. Brickell and K.S. McCurely, ECC: Do We Need to Count?, “Advances in Cryptology-ASIACRYPT’99,. Lecture. Notes. in. Compute. Science,. Springer-Verlag,” No. 1716, 1999, pp. 122-134. [17] C. Lin and C. Lee, Elliptic-Curve Undeniable Signature Schemes, “Proceedings of the Eleventh National Conference on information Security,” 2001, pp. 331-338. [18] Aleksandar Jurisic and Alfred J. Menezes, Elliptic Curves and Cryptography, “http://www.certicom.com.”. 16.

(18)