Digital signature forgery

In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message $m$ and a signature (or MAC) $\sigma$ that is valid for $m$ , where $m$ has not been signed in the past by the legitimate signer. There are three types of forgery: existential, selective, and universal.^[1]

Types

Besides the following attacks, there is also a total break: when adversary can compute the signer's private key and therefore forge any possible signature on any message^[2]

Existential forgery

Existential forgery is the creation (by an adversary) of at least one message/signature pair $(m, \sigma)$ , where $\sigma$ was not produced by the legitimate signer. The adversary need not have any control over $m$ ; $m$ need not have any particular meaning; the message content is irrelevant — as long as the pair $(m, \sigma)$ is valid, the adversary has succeeded in constructing an existential forgery.

Existential forgery is essentially the weakest adversarial goal, therefore the strongest schemes are those that are "existentially unforgeable". Nevertheless, many state-of-art signature algorithms allow existential forgery. For example, an RSA forgery can be done as follows:

Let $e$ be the RSA public key.
Choose a random signature $Sig$ .
Send the message as: $Sig^e(modn)||Sig(modn)$ .
The recipient check the signature: $Sig^e==Sig^e$ so the check will pass.

Note: the sender cannot control the message content so it will be a random message, that may help in some cases.

Multiplication forgery

This forgery can be used with two messages with their signatures as follows:

Let $x_1 = S_k(y_1)$ be RSA signature on the message $y_1$ under the key $k$ .
Analogously, $x_2 = S_k(y_2)$ .
in that case $x_1 \cdot x_2 \pmod{n}$ will be valid RSA signature on the message $y_1 \cdot y_2 \pmod{n}$ under the key $k$ .^[3]

Selective forgery

Selective forgery is the creation (by an adversary) of a message/signature pair $(m, \sigma)$ where $m$ has been chosen by the adversary prior to the attack. $m$ may be chosen to have interesting mathematical properties with respect to the signature algorithm; however, in selective forgery, $m$ must be fixed before the start of the attack.

The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.

Universal forgery

Universal forgery is the creation (by an adversary) of a valid signature $\sigma$ for any given message $m$ . An adversary capable of universal forgery is able to sign messages he chose himself (as in selective forgery), messages chosen at random, or even specific messages provided by an opponent.

References

↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

[1] Lua error in package.lua at line 80: module 'strict' not found.

[GoldwasserBellare-2] Lua error in package.lua at line 80: module 'strict' not found.

[3] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

Digital signature forgery

Contents

Types

Existential forgery

Multiplication forgery

Selective forgery

Universal forgery

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools