Résumé: The standard drafts, P1363 [1] and ISO 9796-4 [2], have adopted the discrete-logarithm based on signature equation, S3, which was originally proposed by Nyberg and Rueppel [4]. In [4], the authors also claimed that the signature scheme based on S3 and S5 can resist the known message attack. In this letter, we propose an extended known message attack to show that the message recovery signature scheme based on S3 and S5 has the same security problem.

Langue: Anglais