In this paper, we present a framework to construct message recovery signature schemes from Sigma-protocols. The key technique of our construction is the redundancy function that adds some redundancy to the message only legitimately signed and recovered message can have. We provide a characterization of the redundancy functions that make the resulting message recovery signature scheme proven secure. Our framework includes known schemes when the building blocks are given concrete implementations, i.e., random oracles and ideal ciphers, hence presents insightful explanation to their structure.

Multisignature scheme realizes that plural users generate the signature on a message, and that the signature is verified. Various studies on multisignature have been proposed. They are classified into two types: RSA-based multisignature, and discrete logarithm problem (DLP) based multisignature, all of which assume that a message is fixed beforehand. In a sense, these schemes do not have a feature of message flexibility. Furthermore all schemes which satisfy with order verifiability designate order of signers beforehand. Therefore these protocols have a feature of order verifiability but not order flexibility. For a practical purpose of circulating messages soundly through Internet, a multisignature scheme with message flexibility, order flexibility and order verifiability should be required. However, unfortunately, all previous multisignature do not realize these features. In this paper, we propose a general model of multisignature schemes with flexibility and verifiability. We also present two practical schemes based on DLP based message recover signature and RSA signature, respectively.

A key distribution system is a system in which users securely generate a common key. One kind of identity-based key distribution system was proposed by E. Okamoto. Its security depends on the difficulty of factoring a composite number of two large primes like RSA public-key cryptosystem. Another kind of identity-based key distribution system was proposed by K. Nyberg, R. A. Rueppel. Its security depends on the difficulty of the discrete logarithm problem. On the other hand, Koblitz and Miller described how a group of points on an elliptic curve over a finite field can be used to construct a public key cryptosystem. In 1997, we proposed an ID-based key distribution system over an elliptic curve, as well as those over the ring Z/nZ. Its security depends on the difficulty of factoring a composite number of two large primes. We showed that this system over an elliptic curve is more suitable for the implementation than those over the ring Z/nZ. In this paper, we apply the Nyberg-Rueppel ID-based key distribution system to an elliptic curve. It provides relatively small block size and high security. This public key distribution system can be efficiently implemented. However the Nyberg-Rueppel's scheme requires relatively large data transmission. As a solution to this problem, we improve the scheme. This improved scheme is very efficient since data transferred for the common key generation is reduced to half of those in the Nyberg-Rueppel's scheme.

Nyberg and Rueppel recently proposed a new EIGamal-type digital signature scheme with message recovery feature and its six variants. The advantage of small signed message length is effective especially in some applications like public key certifying protocols or the key exchange. But two forgeries that present a real threat over such applications are pointed out. In certifying public keys or key exchanges, redundancy is not preferable in order to store or transfer small data. Therefore the current systems should be modified in order to integrate the Nyberg-Ruepple's signature into such applications. However, there has not been such a research that prevents the forgeries directly by improving the signature scheme. In this paper, we investigate a condition to avoid the forgeries directly. We also show some new message recovery signatures strong against the forgeries by adding a negligible computation amount to their signatures, while not increasing the signature size. The new scheme can be integrated into the above application without modifying the current systems, while maintaining the security.