This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 9 D i g i t a l S i g n a t u r e s : D e fi n i t i o n a n d F i r s t C o n s t r u c t i o n s . H a s h i n g . 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For example, if a message is encrypted with the onetime pad, the adversary can flip any of its bits by simply flipping the corresponding bit of the ciphertext. In any publickey encryption scheme, there is no way to tell the source of the message, because the key is public. Furthermore, the message can be modified in transit by the adversary in every encryption scheme we studied so far. Thus, encryption ensures secrecy, but cant help you figure out who the message came from or what it was really meant to say. We need digital signatures for that. A digital signature scheme is a triple of probabilistic polynomialtime algorithms (Gen , Sig , Ver). The key generation algorithm Gen outputs (PK , SK) when given 1 k as input. The signing algorithm Sig takes SK and m as input, and outputs a signature . The verification algorithm Ver takes PK ,m, as input and outputs 1 or 0 (or true/false, valid/invalid, etc.). We require that signatures produced by Sig verify as correct by Ver: if (PK , SK) Gen(1 k ), then for all m , Ver(PK ,m, Sig(SK ,m )) = 1 (perhaps with probability 1 ( k )). We may also restrict the message space to some set M , and instead saying for all m , say for all m M . The above description says nothing about security. Indeed, to define security, one has to try a few examples to better understand the notion. Here is an example: suppose my Gen generates an RSA pair PK = ( n,e ) , SK = ( n,d ); to sign m , let = m d mod n , and to verify ( m, ), check if m = e mod n . We identified a few problems with this in class: if you have signatures 1 on m 1 and 2 on m 2 , you can compute 1 2 mod n to obtain a signature on m 1 m 2 mod n . Also, without observing any signatures at all, you can pick a random Z * n and compute m = e mod n to get a valid pair ( m, ). Of course, m may not be a meaningful message, but its difficult to know what will be meaningful for a particular application. The definition we want is that the adversary be unable to come up with a signature on a new message ( any message of the adversarys choiceso called existential forgery), even after observing signatures on other messages of its choice (socalled adaptive chosenmessage attackadaptive because the choice of the next message may depend on the signatures received for previous messages). In other words, the adversary E ? is a probabilistic polynomialtime oracle machine (we use the superscript ? to denote the fact that the machine has access to an oracle; when running the machine E with a specific oracle f , we write E f , and sometimes denote by the placeholder for an input to f given by E , e.g., E f ( ) ). Consider the following)....
View
Full
Document
This document was uploaded on 02/27/2012.
 Spring '09

Click to edit the document details