Cryptography Reference
In-Depth Information
Non-repudiation
. A digital signature can be stored by anyone who receives it as
evidence. This evidence could later be presented to a third party who could use
the evidence to resolve any dispute that relates to the contents and/or origin of
the underlying data.
Note that digital signature schemes are often deployed simply for their ability to
provide data origin authentication. They are the main public-key cryptographic
primitive for providing data origin authentication and the obvious choice for
applications that require data origin authentication but cannot, normally for key
management reasons, use a MAC.
In order to provide these two security services, a digital signature on some data
will need to be computed from:
The data
. Since a digital signature provides data origin authentication (and non-
repudiation) it is clear that the digital signature itself must depend on the
data and cannot be a completely unrelated piece of information. Note that
although its computation must involve the data, it could be transmitted and
stored separately from the data. This is in contrast to handwritten signatures,
as we discuss in Section 7.4.3.
A secret parameter known only by the signer
. Since a digital signature provides
non-repudiation, its calculation must involve a secret parameter that is known
only by the signer. If any other entity knows this secret parameter then it
will be impossible to tell whether it was the signer or the other entity who
computed the digital signature. The only possible situation where this might
be acceptable is if the other entity is totally trusted by all parties involved in the
signing and verifying of digital signatures, which is a scenario that we discuss in
Section 7.2.
BASIC PROPERTIES OF A DIGITAL SIGNATURE SCHEME
There are three basic properties that any practical digital signature scheme should
normally have:
Easy for the signer to sign data
. From a practical perspective, there is no point in
having a digital signature scheme that requires the signer to compute complex
operations in order to generate a digital signature. The signing process should
be as efficient as possible.
Easy for anyone to verify a message
. Similarly, the verification of a digital
signature should be as efficient as possible.
Hard for anyone to forge a digital signature
. In other words, it should be
practically impossible for anyone who is not the legitimate signer to compute
a digital signature on some data that appears to be valid. By 'appears to be
valid' we mean that anyone who attempts to verify the digital signature is led
to believe that they have just successfully verified a valid digital signature on
some data.
