This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 9 D i g i t a l S i g n a t u r e s : D e fi n i t i o n a n d F i r s t C o n s t r u c t i o n s . H a s h i n g . 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For example, if a message is encrypted with the one-time pad, the adversary can flip any of its bits by simply flipping the corresponding bit of the ciphertext. In any public-key encryption scheme, there is no way to tell the source of the message, because the key is public. Furthermore, the message can be modified in transit by the adversary in every encryption scheme we studied so far. Thus, encryption ensures secrecy, but cant help you figure out who the message came from or what it was really meant to say. We need digital signatures for that. A digital signature scheme is a triple of probabilistic polynomial-time algorithms (Gen , Sig , Ver). The key generation algorithm Gen outputs (PK , SK) when given 1 k as input. The signing algorithm Sig takes SK and m as input, and outputs a signature . The verification algorithm Ver takes PK ,m, as input and outputs 1 or 0 (or true/false, valid/invalid, etc.). We require that signatures produced by Sig verify as correct by Ver: if (PK , SK) Gen(1 k ), then for all m , Ver(PK ,m, Sig(SK ,m )) = 1 (perhaps with probability 1- ( k )). We may also restrict the message space to some set M , and instead saying for all m , say for all m M . The above description says nothing about security. Indeed, to define security, one has to try a few examples to better understand the notion. Here is an example: suppose my Gen generates an RSA pair PK = ( n,e ) , SK = ( n,d ); to sign m , let = m d mod n , and to verify ( m, ), check if m = e mod n . We identified a few problems with this in class: if you have signatures 1 on m 1 and 2 on m 2 , you can compute 1 2 mod n to obtain a signature on m 1 m 2 mod n . Also, without observing any signatures at all, you can pick a random Z * n and compute m = e mod n to get a valid pair ( m, ). Of course, m may not be a meaningful message, but its difficult to know what will be meaningful for a particular application. The definition we want is that the adversary be unable to come up with a signature on a new message ( any message of the adversarys choiceso called existential forgery), even after observing signatures on other messages of its choice (so-called adaptive chosen-message attackadaptive because the choice of the next message may depend on the signatures received for previous messages). In other words, the adversary E ? is a probabilistic polynomial-time oracle machine (we use the superscript ? to denote the fact that the machine has access to an oracle; when running the machine E with a specific oracle f , we write E f , and sometimes denote by the placeholder for an input to f given by E , e.g., E f ( ) ). Consider the following)....
View Full Document
This document was uploaded on 02/27/2012.
- Spring '09