Cryptography Reference
In-Depth Information
asetof
mutually trusting
parties that agree on a secret key, which is
being used both to produce and verify authentication-tags. (Indeed,
it is assumed that the mutually trusting parties have generated the
key together or have exchanged the key in a secure way, prior to the
communication of information that needs to be authenticated.)
We focus on the definition of secure signature schemes. Following
Goldwasser, Micali and Rivest (82), we consider very powerful attacks
on the signature scheme as well as a very liberal notion of breaking it.
Specifically, the attacker is allowed to obtain signatures to any message
of its choice. One may argue that in many applications such a general
attack is not possible (because messages to be signed must have a spe-
cific format). Yet, our view is that it is impossible to define a general
(i.e., application-independent) notion of admissible messages, and thus
a general/robust definition of an attack seems to have to be formulated
as suggested here. (Note that, at worst, our approach is overly cau-
tious.) Likewise, the adversary is said to be successful if it can produce
a valid signature to
any
message for which it has not asked for a signa-
ture during its attack. Again, this refers to the ability to form signatures
to possibly “nonsensical” messages as a breaking of the scheme. Yet,
again, we see no way to have a general (i.e., application-independent)
notion of “meaningful” messages (so that only forging signatures to
them will be considered a breaking of the scheme).
Definition 6.1.
(secure signature schemes - a sketch):
A
chosen mes-
sage attack
is a process that, on input a verification-key, can obtain
signatures
(relative to the corresponding signing-key)
to messages of
its choice. Such an attack is said to
succeed
(in existential forgery)
if it
outputs a valid signature to a message for which it has not requested a
signature during the attack. A signature scheme is
secure
(or unforge-
able)
if every
feasible
chosen message attack succeeds with at most
negligible probability, where the probability is taken over the initial
choice of the key-pair as well as over the adversary's actions.
We stress that
plain
RSA (alike plain versions of Rabin's scheme (109)
and the DSS (1)) is not secure under the above definition. However, it
