In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message,
Contents
Types
Besides the following attacks, there is also a total break: when adversary can compute the signer's private key and therefore forge any possible signature on any message.
Existential forgery (EUF, Existential Unforgeability)
Existential forgery is the creation (by an adversary) of at least one message/signature pair,
Existential forgery is essentially the weakest adversarial goal, therefore the strongest schemes are those that are existentially unforgeable. Nevertheless, many state-of-art signature algorithms allow existential forgery. For example, an RSA forgery can be done as follows:
- Let
e be the RSA public key. - Choose a random signature,
σ . - Send the message as:
σ e ( mod n ) ∥ σ ( mod n ) . - The recipient checks the signature:
σ e = σ e
Note: The sender cannot control the message content so it will be a random message, that may help in some cases.
Multiplication forgery
This forgery can be used with two messages and their signatures as follows:
- Let
σ 1 = S k ( m 1 ) be the RSA signature on the message,m 1 k . - Analogously,
σ 2 = S k ( m 2 ) . - In that case
σ 1 ⋅ σ 2 ( mod n ) will be the valid RSA signature on the message,m 1 ⋅ m 2 ( mod n ) , under the key,k .
Selective forgery (SUF, Selective Unforgeability)
Selective forgery is the creation (by an adversary) of a message/signature pair
The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.
Universal forgery (UUF, Universal Unforgeability)
Universal forgery is the creation (by an adversary) of a valid signature,