Cryptography Reference
In-Depth Information
For all practical purposes, it is reasonable to assume that the adversary can
mount message attacks. In fact, there are a couple of subclasses of message attacks
that are distinguished in the literature.
•
In a
known message attack
, the adversary knows
t
1 messages
m
1
,m
2
,...,
m
t
and their digital signatures
s
1
,s
2
,...,s
t
. The messages are known to the
adversary, but they are not chosen by him or her.
≥
•
In a
generic chosen message attack
, the adversary is able to obtain digital
signatures
s
1
,s
2
,...,s
t
for a chosen list of
t
1 messages
m
1
,m
2
,...,m
t
.
In such an attack, the list of messages must be fixed and independent from the
signatory and his or her signing key. Furthermore, it must be chosen before
the attack is mounted. This is why the chosen message attack is called
generic
(it is generic in the sense that it is not directed against a particular signatory's
signing key).
≥
•
The
directed chosen message attack
is similar to the generic chosen message
attack, except that the list of
t
1 messages
m
1
,m
2
,...,m
t
to be signed
is chosen with respect to the signatory's verification key
k
. Consequently, the
attack is directed against a particular signatory's signing key. It is, however,
still a nonadaptive attack.
≥
•
In an
adaptive chosen message attack
, the adversary is able to obtain digital
signatures
s
1
,s
2
,...,s
t
for a chosen list of
t
1 messages
m
1
,m
2
,...,m
t
.
In such an attack, the list of messages depends on the signatory's signing
key and can be adaptively chosen while the attack is going on. Alternatively
speaking, one can say that the adversary has access to a signature generation
oracle. For every message
m
he or she provides, the oracle returns a valid
digial signature
s
for
m
.
≥
The message attacks are itemized in order of increasing severity, with the
adaptive chosen message attack being the strongest and most severe attack an
adversary can mount. While an adaptive chosen message attack may be impossible
to mount in practice, a well-designed DSS should nonetheless be designed to protect
against it.
With respect to the
task the adversary is required to solve
, there are at least
four possibilities one may discover.
•
In a
total break
, the adversary must be able to determine the signatory's
signing key
k
−
1
. This is a total break, because the adversary can then use the
signing key to generate valid signatures for all messages of his or her choice.
A DSS that does not provide protection against a total break is sometimes also
called
totally breakable
.
