Digital signature forgery

In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message, $m$ {\displaystyle m}, and a signature (or MAC), $\sigma$ {\displaystyle \sigma }, that is valid for $m$ {\displaystyle m}, but has not been created in the past by the legitimate signer. There are different types of forgery.^[1]

To each of these types, security definitions can be associated. A signature scheme is secure by a specific definition if no forgery of the associated type is possible.

Types

[edit ]

The following definitions are ordered from lowest to highest achieved security, in other words, from most powerful to the weakest attack. The definitions form a hierarchy, meaning that an attacker able to mount a specific attack can execute all the attacks further down the list. Likewise, a scheme that reaches a certain security goal also reaches all prior ones.

Total break

[edit ]

More general than the following attacks, there is also a total break: when an adversary can recover the private information and keys used by the signer, they can create any possible signature on any message.^[2]

Universal forgery (universal unforgeability, UUF)

[edit ]

Universal forgery is the creation (by an adversary) of a valid signature, $\sigma$ {\displaystyle \sigma }, for any given message, $m$ {\displaystyle m}. An adversary capable of universal forgery is able to sign messages they chose themselves (as in selective forgery), messages chosen at random, or even specific messages provided by an opponent.^[1]

Selective forgery (selective unforgeability, SUF)

[edit ]

Selective forgery is the creation of a message/signature pair $(m,\sigma )$ {\displaystyle (m,\sigma )} by an adversary, where $m$ {\displaystyle m} has been chosen by the attacker prior to the attack.^[3]^[4] $m$ {\displaystyle m} may be chosen to have interesting mathematical properties with respect to the signature algorithm; however, in selective forgery, $m$ {\displaystyle m} must be fixed before the start of the attack.

The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.

Existential forgery

[edit ]

Existential forgery (existential unforgeability, EUF) is the creation (by an adversary) of at least one message/signature pair, $(m,\sigma )$ {\displaystyle (m,\sigma )}, where $m$ {\displaystyle m} has never been signed by the legitimate signer. The adversary can choose $m$ {\displaystyle m} freely; $m$ {\displaystyle m} need not have any particular meaning; the message content is irrelevant — as long as the pair, $(m,\sigma )$ {\displaystyle (m,\sigma )}, is valid, the adversary has succeeded in constructing an existential forgery. Thus, creating an existential forgery is easier than a selective forgery, because the attacker may select a message $m$ {\displaystyle m} for which a forgery can easily be created. In contrast, in the case of a selective forgery, the challenger can ask for the signature of a "difficult" message.

Example of an existential forgery

[edit ]

The RSA cryptosystem has the following multiplicative property: $\sigma (m_{1})\cdot \sigma (m_{2})=\sigma (m_{1}\cdot m_{2})$ {\displaystyle \sigma (m_{1})\cdot \sigma (m_{2})=\sigma (m_{1}\cdot m_{2})}.

This property can be exploited by creating a message $m'=m_{1}\cdot m_{2}$ {\displaystyle m'=m_{1}\cdot m_{2}} with a signature $\sigma \left(m'\right)=\sigma (m_{1}\cdot m_{2})=\sigma (m_{1})\cdot \sigma (m_{2})$ {\displaystyle \sigma \left(m'\right)=\sigma (m_{1}\cdot m_{2})=\sigma (m_{1})\cdot \sigma (m_{2})}.^[5]

A common defense to this attack is to hash the messages before signing them.^[5]

Weak existential forgery (strong existential unforgeability, strong unforgeability; sEUF, or SUF)

[edit ]

This notion is a stronger (more secure) variant of the existential forgery detailed above. Weak existential forgery is the creation (by an adversary) of at least one message/signature pair, $\left(m',\sigma '\right)$ {\displaystyle \left(m',\sigma '\right)}, given a number of different message-signature pairs $(m,\sigma )$ {\displaystyle (m,\sigma )} produced by the legitimate signer. In contrast to existential forgeries, an adversary is also considered successful if they manages to create a new signature for an already signed message $m'$ {\displaystyle m'}.

Strong existential forgery is essentially the weakest adversarial goal. Therefore the strongest schemes are those that are strongly existentially unforgeable.

References

[edit ]

^ ^a ^b Vaudenay, Serge (September 16, 2005). A Classical Introduction to Cryptography: Applications for Communications Security (1st ed.). Springer. p. 254. ISBN 978-0-387-25464-7.
^ Goldwasser, Shafi; Bellare, Mihir (2008). Lecture Notes on Cryptography. Summer course on cryptography. p. 170. Archived from the original on 2012年04月21日. Retrieved 2011年01月30日.
^ Shafi Goldwasser and Mihir Bellare. "Lecture Notes on Cryptography" (PDF).
^ Bleumer G. (2011) Selective Forgery. In: van Tilborg H.C.A., Jajodia S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5906-5_225
^ ^a ^b Fabrizio d'Amore (April 2012). "Digital signatures - DSA" (PDF). La Sapienza University of Rome. pp. 8–9. Retrieved July 27, 2018.

Stub icon

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

v
t
e

Retrieved from "https://en.wikipedia.org/w/index.php?title=Digital_signature_forgery&oldid=1260245105#Universal_forgery"