A Comparative Study of RSA Based Digital Signature Algorithms

A digital signature is a mechanism designed to allow secure communication through an insecure medium and can be traced in many applications where privacy is required. A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document and possibly to ensure that the original content of the message or document that has been sent is unchanged. The main purpose of this study was to extend important and useful digital signature schemes from the domain of natural integers Z to two principal ideal domains; namely, the domain of Gaussian integers Z[i] and the domain of the ring of polynomials over finite fields F[x] by extending arithmetic needed for our extensions to these domains. We implement the classical and modified RSA cryptosystem to compare and to test their functionality, reliability and security. To test the security of the algorithms we implement attack algorithms to solve the factorization problem in Z, Z[i] and F[x]. After factorization is found, the RSA problem could be solved by finding the private key using the extended Euclidean algorithm.


INTRODUCTION
Digital signatures are strong tools applied in order to achieve the security services of authentication (proof of identity of the sender), data integrity (detection of changes to the message) and non-repudiation (prevention of denial of sending the information). They are digital counterpart of handwritten signatures that can be transmitted over a computer network. Only the sender can make the signature, but other people can easily recognize as belonging to the sender. The sender produces a signature consisting of a number associating a message (in digital form) with a secret key. This signature is intended to be unique and it does not necessarily require that a message be encrypted but must be verifiable. Diffie and Hellman introduced the concept of a digital signature in 1976. They published their landmark study "New Directions in Cryptography" [1] . Digital signatures schemes are based on one-way functions that are relatively easy to compute in one direction, but very difficult to compute going the other direction [2] . The RSA signature is the first method scheme discovered and is widely used [3] . The signature works in Z n where n is the product of two large primes p and q and its security is based on the intractability of the integer factorization problem, on the RSA problem and on the selection of the redundancy function. The RSA problem [4] , is finding an integer m such that m e d (mod n), where n is a product of two distinct large odd primes p and q, e is a positive random integer such that gcd(e,(p−1)(q−1)) =1 and an integer d. That is, the RSA problem is that of finding e th roots of an integer d modulo a composite integer n.
The classical signature schemes, such as RSA, ElGamal and Rabin signature schemes, are described in the settings of the domain of integers Z. Many aspects of arithmetic over the domain of integers can be carried out to the domain of Gaussian integers Z[i], the set of all complex numbers of the form a+bi, where a and b are integers and to the domain of polynomials over finite fields F[x] [5] . Recently, the classical signature schemes were modified in many directions in these domains. El-Kassar et al. [6] modified the ElGamal signature scheme from its classical settings of the domain of natural integers to the domain of Gaussian integers by extending the arithmetic needed for the modifications to the domains. Similar extensions to the domain F[x] was given by El-Kassar and Haraty in [7] . Haraty et al. [8] gave a comparative study of the extended ElGamal signature scheme algorithms. In [9] , two extensions of the RSA signature scheme in the domain of Gaussian and the domain of polynomials over finite fields were presented. It was pointed out that the extended algorithms require a little additional computational effort than the classical one and accomplish much greater security.
In this study, we compare and evaluate the classical and modified RSA algorithms. We investigate the issues of complexity, efficiency and reliability by running the programs with different sets of data. Moreover, these different algorithms will be compared. In addition, implementation of an attack algorithm will be presented. Applying specific mathematical concepts to find the private key does this. After finding the key, it will be easy to sign the message. A study will be done using the results of running the attack algorithm to compare the security of the classical and modified signature scheme algorithms.
Classical and modified RSA signature schemes: The classical and modified RSA signature schemes are described in this section. Algorithms and examples are given. These algorithms are implemented to evaluate and compare the various methods.
Classical RSA signature scheme: In RSA signature scheme, entity A generates the public-key by first generating two large random odd primes p and q, each roughly of the same size and computing the modulus n = pq and Euler phi-function (n) = (p−1)(q−1) [4] . Entity A then selects the exponent e to be any random integer in the interval (1, (n)) such that gcd(e, (n))=1. Using the extended Euclidean algorithm for integers, entity A finds the exponent d which is the unique integer (1, (n)) relatively prime to (n) such that ed 1 (mod (n)). Hence, the public-key is the pair (n, e) and A s private-key is the triplet (p, q, d). A generates the signature as follows. Algorithm (RSA signature scheme): * Find two large primes p and q and compute their product n = pq. * Find an integer d that is relatively prime to (n) = (p(1)(q(1). * Compute e from ed 1 (mod (n)). * Broadcast the public key (n, e). * Compute the redundancy function of the message m which is m = R(m) such that R(m) Z n . * Sign the message m using the private-key by applying the rule s m d (mod n). * The receiver validates the signature using the rule m s e (mod n).
Example: In order to generate the public-key, entity A selects the primes p = 852225047 and q = 603309029 and then computes the modulus n = pq = 514155065595049363 and the Euler phi-function (n) = (p−1)(q−1) = 514155064139515288. Next, A selects the exponent e = 231814262079216429 and uses the extended Euclidean algorithm for integers to find the exponent d = 387883402970610381 so that ed 1(mod (n)). Now, the public-key is the pair (n = 514155065595049363, e = 231814262079216429) and A s private-key is the triplet (p = 852225047, q = 603309029, d = 387883402970610381).
To sign the message m = 1101100100111, for simplicity, take R(m) = m so that R is the identity function. Then

RSA signature scheme in the domain of Gaussian integers:
In RSA signature scheme, entity A generates the public-key by first generating two large random Gaussian primes , and computes = . The Gaussian primes of Z[i] up to multiples of ±1 and ±I [10] , are of the form: i) = 1+i; ii) = a+bi and π = a−bi, where q = π = a²+ b² is an odd prime integer of the form 4k+1; iii) p, where p is an odd prime integer of the form 4k+3. If and are selected to be of the form and , then the modified scheme is equivalent to the classical one [9] . If and are selected to be of the form and p, then can be easily factored. Hence, and are selected to be odd integers of the form 4k+3. Next, entity A computes ( ) = ( ) ( ) = ( ²−1)( ²−1), where ( ) is Euler phi-function in Z[i] [11] . It selects a random integer e such that 1<e< ( ) and e is relatively prime to ( ). Then, entity A finds the unique integer d such that ed 1(mod ( )). A's public-key is ( , e) and A's private-key is ( , , d).
Represent the message as a number chosen from the complete residue system modulo , After computing the redundancy function of the message which is = R( ), A computes the signature s = d (mod ) and sends it to B. To verify the signature sent by A, B gets A's public key ( , e), computes the message representative as = s e (mod ) and finally applies verification process to to recover . We note that the message space is enlarged so that its order is the square of that of the classical case. Also, more than the square of that of the classical case enlarges the range for the public exponent e. next; we provide three algorithms describing the RSA signature scheme over the domain of Gaussian integers. First, entity A generates the public and private keys by doing the following.
The advantages of the RSA scheme in Z[i] are: first, generating two primes p and q in the form 4k+3 in both the classical and the modified methods requires the same amount of effort. Second, the modified method provides more security than the classical method since the number of elements that can be chosen from to represent the message m is about the square of those used in the classical case. Therefore, we deduce that the extended RSA over the domain Z[i] provides an extension to the range of chosen messages, which make trials more complicated. The computations involved in the modified method do not require computational procedures that are different from those of the classical method.
RSA signature scheme over quotient rings of polynomials over finite fields: Let p be a prime number and let h(x) and g(x) be two distinct irreducible polynomials in Z p [x], the domain of polynomials over the finite field Since h(x) and g(x) are irreducible, the quotient rings Z p [x]/<g(x)> and Z p [x]/<h(x)> are finite fields of order p s and p r , respectively. Hence, the groups U(Z p [x]/<g(x)>) and U(Z p [x]/<h(x)>) are cyclic with orders (h(x)) = p s −1 and (g(x)) = p r −1, respectively, so that (f(x)) = (p s −1)( p r −1). We provide the algorithms of the extended RSA signature over polynomials. First, entity A generates the public and private keys by doing the following.
Algorithm (key generation for RSA signature over polynomials): * Generate an odd prime p, two distinct monic irreducible polynomials f(x) and g(x) over Z p .

* Compute the order of U(Z p [x]/<h(x)>) which is
(h(x)) = (p s −1)( p r −1). * Select a random integer e where 1<e< (h(x)) such that gcd(e, (h(x))) = 1. * Use the Euclidean algorithm for integers to find the unique multiplicative inverse d of e with respect to (h(x)) such that 1<d< (h(x)) and ed 1 (mod (h(x))) * Publish the key (p, h(x), e) and keep d as private key.
To generate a signature on a message, entity A should do the following. RSA signature scheme attack: The security of the RSA signature scheme is based on the intractability of both the integer factorization problem and the RSA problem. Various attack schemes have been studied in the literature as well as appropriate measures to counteract these threats. Given the public-key, to forge the signature, a passive adversary must solve the RSA problem. There is no known efficient algorithm for this problem. One possible approach, which an adversary could employ, is to find the private key. In order to attack any protocol that uses the RSA signature scheme by finding its private key, the factorization problem must be solved first. After factorization, computing the value of Euler phi-function and then finding the private exponent d using the extended Euclidean algorithm for integers could solve the RSA problem. Once d is found, the signature can be forged. On the other hand, if the classical method is used and an adversary could somehow compute d, then n can efficiently be factored as follows [4] . This shows that in the classical case, the RSA problem and the integer factorization problem are computationally equivalent. It is not known if this remains true for the modified schemes. In the next section we evaluate the various RSA signature schemes by recovering the private key using the software package Mathematica. We illustrate the attack schemes in the following example.     Signature using polynomials  --------------------------------------------------------------------------------------------------- After running the programs, it was clear that these programs have applied the RSA signature scheme in the correct way. All the programs have generated a public and private key with different mathematical concepts. Then a message is signed using the signature scheme and is sent to a verification procedure which returned the original message. The classical and Gaussian schemes were tested using the same public-key. The average running time of several runs using 50, 100, 200, 250 and 300-digit primes are given in Tables 1 and  2. The public-key was generated by randomly selecting odd integers having a given number of digits and of the form 4k+3. The odd integers were tested for primality using the built-in Mathematica function PrimeQ until a prime is found.
To evaluate RSA algorithms using polynomials, we ran programs for various values of the prime p and degree of the irreducible polynomials. The average running time of several runs are listed in Table 3. The public-key was generated using the built-in Mathematica function IrreduciblePolynomial [x, p, d].
Comparing these algorithms, we conclude the following: * All programs are reliable; they can sign, verify and return any message. * The running time for the signature/verification algorithms is negligible in the classical and Gaussian cases. In the polynomial case the time for the signature/verification algorithms becomes significant for large primes and irreducible polynomials with large degree. * The complexity for the three programs depends on the complexity of generating the public-key. Thus, the classical and Gaussian algorithms are equivalent since their public-key generation algorithms are identical when restricting the choice of primes to those of the form 4k+3. The Gaussian method is therefore recommended since the modified method provides an extension to the message space and the public exponent range. * The public-key generation algorithm using polynomials requires the search for irreducible polynomials. The Mathematica built-in algorithm for generating irreducible polynomials appears to be inefficient as p becomes very large and the degree of the polynomial increases.
Attack algorithm: In order to attack any protocol that uses the RSA public key signature scheme by finding its private key, the factorization problem must be solved first. To test the security of the algorithms, we implemented attack schemes applied to the classical and modified signature scheme algorithms. For the classical and Gaussian algorithms, we generated public keys using primes of various sizes. The attack was conducted using the Mathematica built-in function FactorInteger to recover the prime factors. The Euler phi-function was then computed. Finally, the private exponent was obtained. The average running time of several runs are listed in Table 4.  For the RSA algorithms using polynomials, we generated a public-key using a prime p of various sizes and irreducible polynomials f(x) and g(x) of different degrees d. The attack was conducted by factoring f(x) using the built-in function Factor[f, modulus->p] to recover the irreducible factors. The Euler phi-function was then computed. Finally, the private exponent was obtained. The average running time of several runs are listed in Table 5. After running these attack algorithms, we observed the following: * All the attack programs are reliable so that they can sign any message by finding the private key. * Attacking the classical and Gaussian RSA algorithms is easy if we are dealing with small prime numbers. However, when it comes to 100digit prime numbers or higher, it needs about many computers working in parallel processing to compute the prime factorization of the multiplication of two 100-digit prime numbers. * Attacking the RSA polynomial algorithm becomes more difficult as the size of p or the degree of the irreducible polynomials become larger.

CONCLUSION
In this work, we presented the classic RSA signature scheme and two of its modifications, namely, the RSA signature scheme in the domain of Gaussian integers, Z[i] and over quotient rings of polynomials over finite fields. We implemented these algorithms and tested their efficiency, reliability and security. The results obtained showed that all the algorithms applied the RSA signature scheme correctly and generated public and private key using different mathematical concepts. Messages were then signed using the signature scheme and were sent in encrypted form to a verification procedure which validated the signature and returned the original messages.
We also built attack scenarios directly aimed at solving the factorization problem. We modified the RSA attack algorithm to handle the modified algorithms. We observed that the Gaussian method is preferred since it is as secure as the classical one but provides an extension to the message space and to the signature exponent range.
As for future work, we plan to compare and evaluate the efficiency of the modified algorithms using very large numbers by using parallel computing techniques. We plan to run the programs in parallel on many computers and split the complex mathematical calculations between these computers. We plan to write a function that is capable of finding any random irreducible equation with respect to a specific prime number p. We also plan to apply the modified algorithms in many fields such as database, communications and network security.