0

For signatures, there is the security goal of existential unforgeability. As seen here and noted here (german source) the security goal can be split into weak and strong unforgeability for chosen message attacks.

As far as I understand it, the difference between strong and weak is having a completely arbitrary message to sign, or a message that has not yet been signed.

My question: Is there any reason why this definition can not be applied to known message attacks?

Titanlord
  • 2,244
  • 11
  • 31
  • Who says that it can't? But more importantly what is a known message attack on signatures to you? – Maeher Jun 25 '22 at 13:42
  • I mean, that the adversary has access to some message signature pairs (not chosen by A)... Interestingly no one stated, that it is not possible, but they explicitly considered the case of sEUF and wEUF only for chosen message – Titanlord Jun 27 '22 at 08:03

0 Answers0