Cryptography Reference
In-Depth Information
•
it is infeasible for an external adversary
(i.e., a party other
than the communicating parties)
to produce authentication
tags
to messages not sent by the communicating parties.
Note that in contrast to the specification of signature schemes we do not
require universal verification: only the designated receiver is required
to be able to verify the authentication tags. Furthermore, we do not
require that the receiver cannot produce authentication tags by itself
(i.e., we only require that
external parties
cannot do so). Thus, message
authentication schemes cannot convince
athirdparty
that the sender
has indeed sent the information (rather than the receiver having gener-
ated it by itself). In contrast, signatures can be used to convince third
parties: in fact, a signature to a document is typically sent to a second
party so that in the future this party may (by merely presenting the
signed document) convince third parties that the document was indeed
generated (or sent or approved) by the signer.
6.1
Definitions
Formally speaking, both signature schemes and message authentica-
tion schemes consist of three ecient algorithms:
key generation
,
sign-
ing
and
verification
. As in the case of encryption schemes, the key-
generation algorithm is used to generate a pair of corresponding keys,
one is used for signing and the other is used for verification. The dif-
ference between the two types of schemes is reflected in the definition
of security. In the case of signature schemes, the adversary is given the
verification-key, whereas in the case of message authentication schemes
the verification-key (which may equal the signing-key) is not given to
the adversary. Thus, schemes for message authentication can be viewed
as a private-key version of signature schemes. This difference yields dif-
ferent functionalities (even more than in the case of encryption): In the
typical use of a signature scheme, each user generates a pair of sign-
ing and verification keys, publicizes the verification-key and keeps the
signing-key secret. Subsequently, each user may sign documents using
its own signing-key, and these signatures are
universally verifiable
with
respect to its public verification-key. In contrast, message authentica-
tion schemes are typically used to authenticate information sent among
