Cryptography: Theory and Practice by Douglas Stinson CRC Press, CRC Press LLC ISBN: 0849385210 Pub Date: 03/17/95 |
Previous | Table of Contents | Next |
In this chapter, we study signature schemes, which are also called digital signatures. A conventional handwritten signature attached to a document is used to specify the person responsible for it. A signature is used in everyday situations such as writing a letter, withdrawing money from a bank, signing a contract, etc.
A signature scheme is a method of signing a message stored in electronic form. As such, a signed message can be transmitted over a computer network. In this chapter, we will study several signature schemes, but first we discuss some fundamental differences between conventional and digital signatures.
First is the question of signing a document. With a conventional signature, a signature is physically part of the document being signed. However, a digital signature is not attached physically to the message that is signed, so the algorithm that is used must somehow bind the signature to the message.
Second is the question of verification. A conventional signature is verified by comparing it to other, authentic signatures. For example, when someone signs a credit card purchase, the salesperson is supposed to compare the signature on the sales slip to the signature on the back of the credit card in order to verify the signature. Of course, this is not a very secure method as it is relatively easy to forge someone elses signature. Digital signatures, on the other hand, can be verified using a publicly known verification algorithm. Thus, anyone can verify a digital signature. The use of a secure signature scheme will prevent the possibility of forgeries.
Another fundamental difference between conventional and digital signatures is that a copy of a signed digital message is identical to the original. On the other hand, a copy of a signed paper document can usually be distinguished from an original. This feature means that care must be taken to prevent a signed digital message from being reused. For example, if Bob signs a digital message authorizing Alice to withdraw $100 from his bank account (i.e., a check), he only wants Alice to be able to do so once. So the message itself should contain information, such as a date, that prevents it from being reused.
A signature scheme consists of two components: a signing algorithm and a verification algorithm. Bob can sign a message x using a (secret) signing algorithm sig. The resulting signature sig(x) can subsequently be verified using a public verification algorithm ver. Given a pair (x, y), the verification algorithm returns an answer true or false depending on whether the signature is authentic.
Here is a formal defintion of a signature scheme.
DEFINITION 6.1 A signature scheme is a five-tuple , where the following conditions are satisfied:
For every , the functions sigK and verK should be polynomial-time functions. verK will be a public function and sigK will be secret. It should be computationally infeasible for Oscar to forge Bobs signature on a message x. That is, given x, only Bob should be able to compute the signature y such that ver(x, y) = true. A signature scheme cannot be unconditionally secure, since Oscar can test all possible signatures y for a message x using the public algorithm ver, until he finds the right signature. So, given sufficient time, Oscar can always forge Bobs signature. Thus, as was the case with public-key cryptosystems, our goal is to find signature schemes that are computationally secure.
As our first example of a signature scheme, we observe that the RSA public-key cryptosystem can be used to provide digital signatures. See Figure 6.1.
Thus, Bob signs a message x using the RSA decryption rule dK. Bob is the only person that can create the signature since dK = sigK is secret. The verification algorithm uses the RSA encryption rule eK. Anyone can verify a signature since eK is public.
Note that anyone can forge Bobs signature on a random message x by computing x = eK(y) for some y; then y = sigK(x). One way around this difficulty is to require that messages contain sufficient redundancy that a forged signature of this type does not correspond to a meaningful message x except with a very small probability. Alternatively, the use of hash functions in conjunction with signature schemes will eliminate this method of forging (cryptographic hash functions will be discussed in Chapter 7).
Figure 6.1 RSA Signature Scheme
Finally, lets look briefly at how we would combine signing and public-key encryption. Suppose Alice wishes to send a signed, encrypted message to Bob. Given a plaintext x, Alice would compute her signature y = sig Alice(x), and then encrypt both x and y using Bobs public encryption function eBob, obtaining z = eBob (x, y). The ciphertext z would be transmitted to Bob. When Bob receives z, he first decrypts it with his decryption function dBob to get (x, y). Then he uses Alices public verification function to check that ver Alice(x, y) = true.
Previous | Table of Contents | Next |
Copyright © CRC Press LLC