Cryptography Reference
In-Depth Information
difficult) to forge signatures in a manner that could pass the verification procedure. It
is difficult to state to what extent handwritten signatures meet these requirements. In
contrast, our discussion of digital signatures will supply precise statements concern-
ing the extent to which digital signatures meet the foregoing requirements. Further-
more, schemes for unforgeable digital signatures can be constructed using the same
computational assumptions as used in the construction of (private-key) encryption
schemes.
In Chapter 6, which will appear in the second volume of this work and will be
devoted to signature schemes, much attention will be focused on defining the security
(i.e., unforgeability) of these schemes. Next, constructions of unforgeable signature
schemes based on various intractability assumptions will be presented. In addition, we
shall treat the related problem of message authentication.
Message Authentication
Message authentication is a task related to the setting considered for encryption schemes
(i.e., communication over an insecure channel). This time, we consider the case of an
active adversary who is monitoring the channel and may alter the messages sent on
it. The parties communicating through this insecure channel wish to authenticate the
messages they send so that the intended recipient can tell an original message (sent by
the sender) from a modified one (i.e., modified by the adversary). Loosely speaking, a
scheme for message authentication
requires
•
that each of the communicating parties be able
to efficiently generate an authentication
tag
for any message of his or her choice,
•
that each of the communicating parties be able
to efficiently verify
whether or not a given
string is an authentication tag for a given message, and
•
that
no external adversary
(i.e., a party other than the communicating parties)
be able
to efficiently produce authentication tags
to messages not sent by the communicating
parties.
In some sense, “message authentication” is similar to a digital signature. The difference
between the two is that in the setting of message authentication it is not required that
third parties (who may be dishonest) be able to verify the validity of authentication
tags produced by the designated users, whereas in the setting of signature schemes it is
required that such third parties be able to verify the validity of signatures produced by
other users. Hence, digital signatures provide a solution to the message-authentication
problem. On the other hand, a message-authentication scheme does not necessarily
constitute a digital-signature scheme.
Signatures Widen the Scope of Cryptography
Considering the problem of digital signatures as belonging to cryptography widens
the scope of this area from the specific secret-communication problem to a variety
of problems concerned with limiting the “gain” that can be achieved by “dishonest”
behavior of parties (who are either internal or external to the system). Specifically:
