Digital signature scheme

From CRYPTUTOR

A digital signature scheme provides a way for a party to unforgeably "sign" a message, and for anyone to verify that the signature was generated by the signer. It is a public-key analog of a MAC, but also provides non-repudiation.

1 Definition
2 Non-repudiation
3 One-time digital signature scheme
4 See also

[edit]

Definition

A digital signature scheme scheme consists of the following 3 algorithms:

Key generation (KeyGen): a probabilistic algorithm that takes the implicit security parameter of the scheme as input, and outputs a signing/verification key pair $(S K, V K)$ .
Signing (Sign): an algorithm that takes a signing key and a message as input, and outputs a signature. We generally write $\mathsf{Sign}(SK,m)$ as $\mathsf{Sign}_{SK}(m)$ .
Verification (Ver): An algorithm that takes a verification key, a message, and a signature as input, and outputs a bit. As above, we generally write $\mathsf{Ver}(VK,m,\sigma)$ as $\mathsf{Ver}_{VK}(m,\sigma)$ .

These algorithms must satisfy the following properties:

Efficiency: All three algorithms run in polynomial time in the security parameter.
Correctness: For all $(SK,VK) \gets \mathsf{KeyGen}$ , and all messages $m$ , $\mathsf{Ver}_{VK}(m, \mathsf{Sign}_{SK}(m) ) = 1$
Unforgeability: For all non-uniform PPT (polynomial in the security parameter) adversaries $A$ , the probability that $A$ succeeds in the following experiment is negligible (in the security parameter):

Digital Signature Unforgeability Experiment:

We choose a key pair $(SK,VK) \gets \mathsf{KeyGen}$ and give $V K$ to $A$ .
$A$ is allowed to query an oracle that computes $\mathsf{Sign}_{SK}$ .
$A$ outputs a message/signature pair $(m,σ)$ , with the restriction that the $\mathsf{Sign}_{SK}$ oracle was never queried on input $m$ .
We say that $A$ succeeds if $\mathsf{Ver}_{VK}(m,\sigma) = 1$ .

[edit]

Non-repudiation

Unlike in a MAC, if we are shown a message and signature that verifies, we can be convinced that the holder of the signing key must have produced that signature.

[edit]

One-time digital signature scheme

A weak variant of a digital signature scheme is that of a one-time digital signature scheme. In this variant, we modify the unforgeability experiment so that the adversary can only get one signature from the Sign oracle:

One-Time Digital Signature Unforgeability Experiment:

We choose a key pair $(SK,VK) \gets \mathsf{KeyGen}$ and give $V K$ to $A$ .
$A$ outputs a single message $m$ .
We give $\mathsf{Sign}_{SK}(m)$ to $A$ .
$A$ outputs a message/signature pair $(m',σ)$ , with the restriction that $m' \ne m$ .
We say that $A$ succeeds if $\mathsf{Ver}_{VK}(m',\sigma) = 1$ .

[edit]

Digital signature scheme

From CRYPTUTOR

Contents

Definition

Non-repudiation

One-time digital signature scheme

See also

Views

Personal tools

Navigation

Search

Toolbox