981:
117:
The following definitions are ordered from lowest to highest achieved security, in other words, from most powerful to the weakest attack. The definitions form a hierarchy, meaning that an attacker able to mount a specific attack can execute all the attacks further down the list. Likewise, a scheme
713:
544:
182:. An adversary capable of universal forgery is able to sign messages they chose themselves (as in selective forgery), messages chosen at random, or even specific messages provided by an opponent.
421:, is valid, the adversary has succeeded in constructing an existential forgery. Thus, creating an existential forgery is easier than a selective forgery, because the attacker may select a message
774:
730:
This notion is a stronger (more secure) variant of the existential forgery detailed above. Weak existential forgery is the creation (by an adversary) of at least one message/signature pair,
808:
produced by the legitimate signer. In contrast to existential forgeries, an adversary is also considered successful if they manage to create a new signature for an already signed message
598:
806:
419:
327:
220:
603:
831:
156:
80:
439:
387:
367:
347:
284:
264:
240:
180:
100:
60:
441:
for which a forgery can easily be created, whereas in the case of a selective forgery, the challenger can ask for the signature of a “difficult” message.
456:
933:
Bleumer G. (2011) Selective
Forgery. In: van Tilborg H.C.A., Jajodia S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA.
289:
The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.
130:: when adversary can recover the private information and keys used by the signer, they can create any possible signature on any message.
109:
definitions can be associated. A signature scheme is secure by a specific definition if no forgery of the associated type is possible.
266:
may be chosen to have interesting mathematical properties with respect to the signature algorithm; however, in selective forgery,
297:
Existential forgery (existential unforgeability, EUF) is the creation (by an adversary) of at least one message/signature pair,
1018:
872:
836:
Strong existential forgery is essentially the weakest adversarial goal, therefore the strongest schemes are those that are
889:
17:
725:
950:
733:
1042:
552:
35:
1037:
102:, but has not been created in the past by the legitimate signer. There are different types of forgery.
1011:
389:
need not have any particular meaning; the message content is irrelevant — as long as the pair,
992:
708:{\displaystyle \sigma \left(m'\right)=\sigma (m_{1}\cdot m_{2})=\sigma (m_{1})\cdot \sigma (m_{2})}
779:
726:
Weak existential forgery (strong existential unforgeability, strong unforgeability; sEUF, or SUF)
392:
300:
193:
141:
65:
1004:
8:
811:
450:
424:
372:
352:
332:
269:
249:
225:
165:
85:
45:
868:
31:
865:
A Classical
Introduction to Cryptography: Applications for Communications Security
934:
917:
988:
895:
860:
1031:
719:
539:{\displaystyle \sigma (m_{1})\cdot \sigma (m_{2})=\sigma (m_{1}\cdot m_{2})}
28:
138:
Universal forgery is the creation (by an adversary) of a valid signature,
349:
has never been signed by the legitimate signer. The adversary can choose
185:
133:
106:
118:
that reaches a certain security goal also reaches all prior ones.
980:
915:
190:
Selective forgery is the creation of a message/signature pair
891:
Lecture Notes on
Cryptography. Summer course on cryptography
126:
More general than the following attacks, there is also a
42:
is the ability to create a pair consisting of a message,
776:, given a number of different message-signature pairs
814:
782:
736:
606:
555:
549:
This property can be exploited by creating a message
459:
427:
395:
375:
355:
335:
303:
272:
252:
228:
196:
168:
144:
88:
68:
48:
948:
444:
825:
800:
768:
707:
592:
538:
433:
413:
381:
361:
341:
321:
278:
258:
234:
214:
174:
150:
94:
74:
54:
887:
186:Selective forgery (selective unforgeability, SUF)
134:Universal forgery (universal unforgeability, UUF)
1029:
881:
956:. La Sapienza University of Rome. pp. 8–9
286:must be fixed before the start of the attack.
1012:
935:https://doi.org/10.1007/978-1-4419-5906-5_225
453:has the following multiplicative property:
1019:
1005:
888:Goldwasser, Shafi; Bellare, Mihir (2008).
944:
942:
859:
769:{\displaystyle \left(m',\sigma '\right)}
987:This cryptography-related article is a
867:(1st ed.). Springer. p. 254.
14:
1030:
718:A common defense to this attack is to
292:
939:
246:by the attacker prior to the attack.
975:
916:Shafi Goldwasser and Mihir Bellare.
855:
853:
593:{\displaystyle m'=m_{1}\cdot m_{2}}
24:
838:strongly existentially unforgeable
722:the messages before signing them.
25:
1054:
850:
445:Example of an existential forgery
979:
949:Fabrizio d'Amore (April 2012).
918:"Lecture Notes on Cryptography"
927:
909:
795:
783:
702:
689:
680:
667:
658:
632:
533:
507:
498:
485:
476:
463:
408:
396:
316:
304:
209:
197:
121:
13:
1:
894:. p. 170. Archived from
843:
991:. You can help Knowledge by
62:, and a signature (or MAC),
7:
801:{\displaystyle (m,\sigma )}
414:{\displaystyle (m,\sigma )}
322:{\displaystyle (m,\sigma )}
215:{\displaystyle (m,\sigma )}
10:
1059:
974:
951:"Digital signatures - DSA"
40:digital signature forgery
112:
105:To each of these types,
222:by an adversary, where
151:{\displaystyle \sigma }
75:{\displaystyle \sigma }
863:(September 16, 2005).
827:
802:
770:
709:
594:
540:
435:
415:
383:
363:
343:
323:
280:
260:
236:
216:
176:
152:
96:
76:
56:
828:
803:
771:
710:
595:
541:
436:
416:
384:
364:
344:
324:
281:
261:
237:
217:
177:
153:
97:
77:
57:
812:
780:
734:
604:
553:
457:
425:
393:
373:
353:
333:
301:
270:
250:
226:
194:
166:
142:
86:
82:, that is valid for
66:
46:
293:Existential forgery
18:Existential forgery
1043:Cryptography stubs
826:{\displaystyle m'}
823:
798:
766:
705:
590:
536:
431:
411:
379:
359:
339:
319:
276:
256:
232:
212:
172:
148:
92:
72:
52:
1038:Digital signature
1000:
999:
874:978-0-387-25464-7
600:with a signature
434:{\displaystyle m}
382:{\displaystyle m}
362:{\displaystyle m}
342:{\displaystyle m}
279:{\displaystyle m}
259:{\displaystyle m}
235:{\displaystyle m}
175:{\displaystyle m}
95:{\displaystyle m}
55:{\displaystyle m}
32:digital signature
16:(Redirected from
1050:
1021:
1014:
1007:
983:
976:
966:
965:
963:
961:
955:
946:
937:
931:
925:
924:
922:
913:
907:
906:
904:
903:
885:
879:
878:
857:
832:
830:
829:
824:
822:
807:
805:
804:
799:
775:
773:
772:
767:
765:
761:
760:
749:
714:
712:
711:
706:
701:
700:
679:
678:
657:
656:
644:
643:
625:
621:
599:
597:
596:
591:
589:
588:
576:
575:
563:
545:
543:
542:
537:
532:
531:
519:
518:
497:
496:
475:
474:
451:RSA cryptosystem
440:
438:
437:
432:
420:
418:
417:
412:
388:
386:
385:
380:
368:
366:
365:
360:
348:
346:
345:
340:
328:
326:
325:
320:
285:
283:
282:
277:
265:
263:
262:
257:
241:
239:
238:
233:
221:
219:
218:
213:
181:
179:
178:
173:
157:
155:
154:
149:
101:
99:
98:
93:
81:
79:
78:
73:
61:
59:
58:
53:
21:
1058:
1057:
1053:
1052:
1051:
1049:
1048:
1047:
1028:
1027:
1026:
1025:
972:
970:
969:
959:
957:
953:
947:
940:
932:
928:
920:
914:
910:
901:
899:
886:
882:
875:
861:Vaudenay, Serge
858:
851:
846:
815:
813:
810:
809:
781:
778:
777:
753:
742:
741:
737:
735:
732:
731:
728:
696:
692:
674:
670:
652:
648:
639:
635:
614:
610:
605:
602:
601:
584:
580:
571:
567:
556:
554:
551:
550:
527:
523:
514:
510:
492:
488:
470:
466:
458:
455:
454:
447:
426:
423:
422:
394:
391:
390:
374:
371:
370:
354:
351:
350:
334:
331:
330:
302:
299:
298:
295:
271:
268:
267:
251:
248:
247:
227:
224:
223:
195:
192:
191:
188:
167:
164:
163:
162:given message,
143:
140:
139:
136:
124:
115:
87:
84:
83:
67:
64:
63:
47:
44:
43:
23:
22:
15:
12:
11:
5:
1056:
1046:
1045:
1040:
1024:
1023:
1016:
1009:
1001:
998:
997:
984:
968:
967:
938:
926:
908:
880:
873:
848:
847:
845:
842:
821:
818:
797:
794:
791:
788:
785:
764:
759:
756:
752:
748:
745:
740:
727:
724:
704:
699:
695:
691:
688:
685:
682:
677:
673:
669:
666:
663:
660:
655:
651:
647:
642:
638:
634:
631:
628:
624:
620:
617:
613:
609:
587:
583:
579:
574:
570:
566:
562:
559:
535:
530:
526:
522:
517:
513:
509:
506:
503:
500:
495:
491:
487:
484:
481:
478:
473:
469:
465:
462:
446:
443:
430:
410:
407:
404:
401:
398:
378:
358:
338:
318:
315:
312:
309:
306:
294:
291:
275:
255:
231:
211:
208:
205:
202:
199:
187:
184:
171:
147:
135:
132:
123:
120:
114:
111:
91:
71:
51:
9:
6:
4:
3:
2:
1055:
1044:
1041:
1039:
1036:
1035:
1033:
1022:
1017:
1015:
1010:
1008:
1003:
1002:
996:
994:
990:
985:
982:
978:
977:
973:
952:
945:
943:
936:
930:
919:
912:
898:on 2012-04-21
897:
893:
892:
884:
876:
870:
866:
862:
856:
854:
849:
841:
839:
834:
819:
816:
792:
789:
786:
762:
757:
754:
750:
746:
743:
738:
723:
721:
716:
697:
693:
686:
683:
675:
671:
664:
661:
653:
649:
645:
640:
636:
629:
626:
622:
618:
615:
611:
607:
585:
581:
577:
572:
568:
564:
560:
557:
547:
528:
524:
520:
515:
511:
504:
501:
493:
489:
482:
479:
471:
467:
460:
452:
442:
428:
405:
402:
399:
376:
356:
336:
313:
310:
307:
290:
287:
273:
253:
245:
229:
206:
203:
200:
183:
169:
161:
145:
131:
129:
119:
110:
108:
103:
89:
69:
49:
41:
37:
33:
30:
29:cryptographic
19:
993:expanding it
986:
971:
958:. Retrieved
929:
911:
900:. Retrieved
896:the original
890:
883:
864:
837:
835:
729:
717:
548:
448:
296:
288:
243:
189:
159:
137:
127:
125:
116:
104:
39:
26:
128:total break
122:Total break
1032:Categories
902:2011-01-30
844:References
793:σ
755:σ
687:σ
684:⋅
665:σ
646:⋅
630:σ
608:σ
578:⋅
521:⋅
505:σ
483:σ
480:⋅
461:σ
406:σ
314:σ
242:has been
207:σ
146:σ
70:σ
960:July 27,
820:′
758:′
747:′
619:′
561:′
369:freely;
329:, where
107:security
38:system,
871:
244:chosen
158:, for
954:(PDF)
921:(PDF)
113:Types
27:In a
989:stub
962:2018
869:ISBN
720:hash
449:The
160:any
36:MAC
34:or
1034::
941:^
852:^
840:.
833:.
715:.
546:.
1020:e
1013:t
1006:v
995:.
964:.
923:.
905:.
877:.
817:m
796:)
790:,
787:m
784:(
763:)
751:,
744:m
739:(
703:)
698:2
694:m
690:(
681:)
676:1
672:m
668:(
662:=
659:)
654:2
650:m
641:1
637:m
633:(
627:=
623:)
616:m
612:(
586:2
582:m
573:1
569:m
565:=
558:m
534:)
529:2
525:m
516:1
512:m
508:(
502:=
499:)
494:2
490:m
486:(
477:)
472:1
468:m
464:(
429:m
409:)
403:,
400:m
397:(
377:m
357:m
337:m
317:)
311:,
308:m
305:(
274:m
254:m
230:m
210:)
204:,
201:m
198:(
170:m
90:m
50:m
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.