Leo Reyzin. Notes for BU CAS CS 538.
1
9
Digital Signatures: Definition and First Constructions. Hashing.
9.1
Definition
First note that encryption provides no guarantee that a message is authentic. For example, if a message is
encrypted with the onetime pad, the adversary can flip any of its bits by simply flipping the corresponding
bit of the ciphertext. In any publickey encryption scheme, there is no way to tell the source of the message,
because the key is public. Furthermore, the message can be modified in transit by the adversary in every
encryption scheme we studied so far.
Thus, encryption ensures secrecy, but can’t help you figure out who the message came from or what it
was really meant to say. We need digital signatures for that.
A digital signature scheme is a triple of probabilistic polynomialtime algorithms (Gen
,
Sig
,
Ver). The key
generation algorithm Gen outputs (PK
,
SK) when given 1
k
as input. The signing algorithm Sig takes SK and
m
as input, and outputs a signature
σ
. The verification algorithm Ver takes PK
, m,
σ
as input and outputs 1
or 0 (or true/false, valid/invalid, etc.). We require that signatures produced by Sig verify as correct by Ver:
if (PK
,
SK)
←
Gen(1
k
), then for all
m
, Ver(PK
, m,
Sig(SK
, m
)) = 1 (perhaps with probability 1

η
(
k
)). We
may also restrict the message space to some set
M
, and instead saying “for all
m
,” say “for all
m
∈
M
.”
The above description says nothing about security.
Indeed, to define security, one has to try a few
examples to better understand the notion.
Here is an example: suppose my Gen generates an RSA pair
PK = (
n, e
)
,
SK = (
n, d
); to sign
m
, let
σ
=
m
d
mod
n
, and to verify (
m,
σ
), check if
m
=
σ
e
mod
n
. We
identified a few problems with this in class: if you have signatures
σ
1
on
m
1
and
σ
2
on
m
2
, you can compute
σ
1
σ
2
mod
n
to obtain a signature on
m
1
m
2
mod
n
. Also, without observing any signatures at all, you can
pick a random
σ
∈
Z
*
n
and compute
m
=
σ
e
mod
n
to get a valid pair (
m,
σ
). Of course,
m
may not be a
meaningful message, but it’s di
ffi
cult to know what will be “meaningful” for a particular application.
The definition we want is that the adversary be unable to come up with a signature on a new message
(
any
message of the adversary’s choice—so called “existential forgery”), even after observing signatures on
other messages of its choice (socalled “adaptive chosenmessage attack”—adaptive because the choice of the
next message may depend on the signatures received for previous messages). In other words, the adversary
E
?
is a probabilistic polynomialtime oracle machine (we use the superscript “?” to denote the fact that
the machine has access to an oracle; when running the machine
E
with a specific oracle
f
, we write
E
f
,
and sometimes denote by
·
the placeholder for an input to
f
given by
E
, e.g.,
E
f
(
·
)
). Consider the following
experiment of running the
E
with the oracle for the signing function:
expforge
(k)
1.
(PK
,
SK)
←
Gen(1
k
)
2.
(
m,
σ
)
←
E
Sig
SK
(
·
)
(1
k
,
PK)
3.
If
m
was not queried by
E
to its oracle and Ver
PK
(
m,
σ
) = 1, output 1. Else output 0.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '09
 Cryptography, Cryptographic hash function, signature scheme, Leo Reyzin

Click to edit the document details