Cryptography Reference
In-Depth Information
•
every user can
eciently verify
whether a given string is a
signature of another (specific) user on a specific document;
but
•
it is infeasible to produce signatures of other users
to docu-
ments they did not sign.
We note that the formulation of unforgeable digital signatures provides
also a clear statement of the essential ingredients of handwritten sig-
natures. The ingredients are each person's ability to sign for itself, a
universally agreed verification procedure, and the belief (or assertion)
that it is infeasible (or at least hard) to forge signatures (i.e., produce
some other person's signatures to documents that were not signed by it
such that these “unauthentic” signatures are accepted by the verifica-
tion procedure). It is not clear to what extent handwritten signatures
meet these requirements. In contrast, our discussion of digital signa-
tures provides precise statements concerning the extent to which digi-
tal signatures meet the above requirements. Furthermore, unforgeable
digital signature schemes can be constructed based on some reasonable
computational assumptions (i.e., the existence of one-way functions).
Message authentication schemes:
Message authentication is a
task related to the setting considered for encryption schemes; that
is, communication over an insecure channel. This time, we consider
an active adversary that is monitoring the channel and may alter the
messages sent on it. The parties communicating through this insecure
channel wish to authenticate the messages they send so that their coun-
terpart can tell an original message (sent by the sender) from a modified
one (i.e., modified by the adversary). Loosely speaking, a
scheme for
message authentication
should satisfy the following:
•
each of the communicating parties can
eciently produce an
authentication tag
to any message of its choice;
•
each of the communicating parties can
eciently verify
whether a given string is an authentication tag of a given
message; but