Digital signature

TODO: high level description

Syntax

A Digital Signature scheme is a tuple of efficient algorithms $DS = (KeyGen, Sign, Vrfy)$ with respect to signing keyspace $K_{sk}$ , verification (or public) keyspace $K_{pk}$ , message space $M$ , and signature space $S$ :

$KeyGen (1^{λ}) \to (sk, vk),$ is a randomized algorithm which samples a signing key $sk \in K_{sk}$ and verification (or public) key $vk \in K_{pk}$ ,
$Sign (sk, m) \to c,$ is a (possibly) randomized algorithm which takes a signing key $sk \in K_{sk}$ and message $m \in M$ , outputting signature $σ \in S$ ,
$Vrfy (vk, m, σ) \to b,$ is a deterministic algorithm which takes a verification key $vk \in K_{vk},$ a message $m \in M,$ and a signature $σ \in S$ , outputting a bit $b \in {0, 1}$ indicating whether the signature is valid or not.

Properties

Correctness

A Digital Signature scheme $DS = (KeyGen, Sign, Vrfy)$ is $(1 - ε)$ -correct if for all $m \in M$ ,

Pr [Vrfy (vk, m, Sign (sk, m)) = 1] \geq 1 - ε,

over the randomness of $(sk, vk) \leftarrow KeyGen (1^{λ})$ and possibly $Sign .$

Existential Unforgeability

The following is the existential unforgeability under chosen message attacks (EUF-CMA) game. This security notion requires that an adversary cannot find a message signature pair $(\overset{m}{^}, \overset{σ}{^})$ even given many samples

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\eufcma}_{\DS,\calA}(\secpar)$}
\begin{algorithmic}
\State $(\sk, \vk) \gets \KeyGen(1^\secpar)$; $b \getsr \bits$
\State $\calQ \gets \{\}$
\State $(\hat{m},\hat{\sigma}) \gets \calA^{\calO}(1^\secpar, \vk)$
\If{$\hat{m}\in \calQ$}
\Comment{$\hat{m}$ cannot repeat}
\Return $0$
\EndIf
\Return $[\Vrfy(\vk,\hat{m},\hat{\sigma})]$
\end{algorithmic}
\end{algorithm}

\begin{algorithm}
\algname{Oracle}
\caption{$\calO(m)$}
\begin{algorithmic}
\State $\sigma \gets \Sign(\sk,m)$
\State $\calQ \gets \calQ \cup \{m\}$
\Return $\sigma$
\end{algorithmic}
\end{algorithm}

A DS scheme $DS$ is EUF-CMA unforgeable if for all efficient $A$ ,

Adv_{DS, A}^{euf - cma} (λ) := Pr [G_{DS, A}^{euf - cma} (λ) = 1]

is negligible.

Strong Unforgeability

The following is the strongly unforgeability under chosen message attacks (SUF-CMA) game. This security notion strenghtens the above EUF-CMA notation and requires $DS$ to prevent an adversary from “mauling” the signature to produce a new signature for the same message. For example, by rerandomizing the signature into another valid signature.

\begin{algorithm}
\algname{Game}
\caption{$\Game^{\sufcma}_{\DS,\calA}(\secpar)$}
\begin{algorithmic}
\State $(\sk, \vk) \gets \KeyGen(1^\secpar)$; $b \getsr \bits$
\State $\calQ \gets \{\}$
\State $(\hat{m},\hat{\sigma}) \gets \calA^{\calO}(1^\secpar, \vk)$
\If{$(\hat{m},\hat{\sigma})\in \calQ$}
\Comment{$(\hat{m},\hat{\sigma})$ cannot repeat}
\Return $0$
\EndIf
\Return $[\Vrfy(\vk,\hat{m},\hat{\sigma})]$
\end{algorithmic}
\end{algorithm}

\begin{algorithm}
\algname{Oracle}
\caption{$\calO(m)$}
\begin{algorithmic}
\State $\sigma \gets \Sign(\sk,m)$
\State $\calQ \gets \calQ \cup \{(m, \sigma)\}$
\Return $\sigma$
\end{algorithmic}
\end{algorithm}

A DS scheme $DS$ is SU-CMA unforgeable if for all efficient $A$ ,

Adv_{DS, A}^{suf - cma} (λ) := Pr [G_{DS, A}^{suf - cma} (λ) = 1]

is negligible.

Variations

Other results

If OWFs exist, then Digital Signatures exist — Lamport signature citation

Cryptology City

Explorer