3

In the definition of existential unforgeability, there is no detail about the following questions.

In general, can we suppose that a signer is also a possible adversary? When generating a signature, can we suppose that the signer behaves well?

More precisely, suppose that a signer can generate a signature that is valid for another document of his choice. Despite this, for a correctly generated signature, suppose that the signature scheme used is secure when considering an adversary who is not the signer; that is to say, this adversary cannot generate a signature for any other document. Is this signature scheme considered secure?

What is the standard (conventional) hypothesis about that?

I update in reaction to the comment:

In fact,

  1. If the signer behaves well, then the signature is unforgeable (for the signer or any adversary who is not the signer).

  2. If the signer misbehaves, then the signature is forgeable (for the signer, without using the key, and for any adversary).

Is this kind of scheme considered secure in the sense of existential forgeability? Can we suppose that the signer behaves well?

Patriot
  • 3,132
  • 3
  • 18
  • 65
Dingo13
  • 2,867
  • 3
  • 27
  • 46
  • It depends on what you mean. If the secret key is necessary to find the second document, then it is fine. If you know the secret key, you can already sign anything you want. However, if it is possible to find the second document given only the original message, signature and public key, then the scheme is trivially forgeable. – Maeher Feb 10 '14 at 19:33
  • Thank you @Maeher. The secret key is \textbf{not} necessary to find the second document. – Dingo13 Feb 10 '14 at 19:43
  • In fact, 1) if the signer behaves well, then the signature is unforgeable (for the signer or any adversary which is not the signer). 2) if the signer misbehaves, then the signature is forgeable (for the signer, without using the key, and for any adversary). Is this king of scheme considered secure in the sense of existential forgeability ? can we suppose that the signer behaves well ? Thank you. – Dingo13 Feb 10 '14 at 19:51
  • 1
    @Dingo13 what do you mean by "misbehaves"? Btw. didn't you ask a quite similar question already? – DrLecter Feb 10 '14 at 20:02
  • @DrLecter misbehaves = does not behave well. – Dingo13 Feb 10 '14 at 20:08
  • @Dingo13 very helpful ;) "if the signer misbehaves, then the signature is forgeable (for the signer, without using the key, and for any adversary)" you have your answer already and fgrieu made it more explicit... – DrLecter Feb 10 '14 at 20:10
  • 3
    There are versions of signatures in which the signer is a possible adversary, although that property is not called unforgeability. $:$ See fail-stop signatures, undeniable signatures, and unconditionally secure signatures. $;;;$ –  Feb 10 '14 at 22:19
  • @Ricky Demer: You just opened my eyes to what the question really asked!! – fgrieu Feb 13 '14 at 08:16
  • 1
    @fgrieu this seems only to be a desirable property in some scenarios as Ricky pointed out. I am not aware of any rigorous formal definition of such a property for conventional digital signatures. At least for plain hash-then-sign signatures such a signer who efficiently can do this, can be used as oracle to break the used hash function. – DrLecter Feb 13 '14 at 08:36

2 Answers2

3

The standard definition of existential forgery allows the adversary to ask and obtain the signature of any message she wants, and claim success if she can exhibit (with sizable odds) any acceptable (message, signature) pair, for any message for which she did not ask signature.

Update: There is also strong existential unforgeability, where the adversary should not be able to exhibit any acceptable (message, signature) pair for which she did not obtain that signature by asking for the signature of that message. For a use case making the headlines where that strong makes a huge difference, see these links.

Note: in a signature scheme with message recovery, any fraction of the message embedded in the signature needs not be exhibited by the adversary, and is as obtained by the verifier for the purpose of comparison to what the adversary submitted.

Corrected: If "a signer is able to generate a signature which is valid for an other document (that is, message) of his choice", then that scheme is vulnerable to existential forgery. The adversary obtains the signature of the first message, submits that signature unchanged together with the second message, and wins with 100% odds the existential forgery game. Oh no, only the signer could do this, using access to the private key!

Existential forgery is the strongest a strong theoretical criteria for signature. However, it assumes that the signer does not misbehave beside allowing the signature of arbitrary messages; in particular, it is assumed that the signer (or the Smart Card used for signature) does not leak the private key only uses the private key as prescribed, and properly implements every step in the algorithm, like generating truly random numbers.

Update: This spot-on comment by Ricky Demer gives names of security criteria for signatures protected from some attacks by the signer / private key holder.

Update: as pointed by DrLecter in a comment, the standard way to model the signer for a scheme secure against existential forgery (we also say: secure under chosen message attack) is as an oracle that accepts any message and outputs its signature. That oracle is assumed to implement the signature scheme exactly as specified. For more details, I refer to DrLecter's thesaurus of signature security models.

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Thank you. "However, the theoretician assumes that the signer does not misbehaves intentionally besides allowing the signature of arbitrary messages;". What is the theoritical model for this kind of signer ? – Dingo13 Feb 10 '14 at 20:12
  • 1
    By modeling the signer as a signing oracle which can be queried by the adversary. – DrLecter Feb 10 '14 at 20:13
  • Thank you @DrLecter. So a signing oracle is assumed to make truly random choices... And the model of security remains the standard "existential unforgeability" ? – Dingo13 Feb 10 '14 at 20:18
  • 1
    @Dingo13 that depends on the model you are working in. if you consider existential unforgeability against (adaptively) chosen message attacks (the standard and strongest security notion), then the adversary can choose an arbitrary message of its choice and submit it to the oracle. if you consider existential unforgeability against random message attacks, then the oracle randomly (typically unfiformly at random) samples a message for the adversary, i.e., the message can not be controlled by the adversary. In any case, the oracle returns an honestly computed signature for the respective message. – DrLecter Feb 10 '14 at 20:21
  • 1
    cont. you may also look at this related answer which makes the attack/model stuff more explicit. – DrLecter Feb 10 '14 at 20:27
  • 1
    "In any case, the oracle returns an honestly computed signature for the respective message." If the signing oracle seems perfect, in practice, if the signer has to choose pseudorandom numbers, he could choose numbers of his choice, and in this case the scheme is no secure. Not ? What kind of model I have to choose in this case ? – Dingo13 Feb 10 '14 at 20:28
  • @Dingo13: I do not know a standard model/name for the situation in your comment where the signers chooses bad random numbers, if I get you correctly. Perhaps we could call that secure under the assumption of broken RNG; or just secure without requiring a RNG. – fgrieu Feb 10 '14 at 20:32
  • 1
    @Dingo If you take ElGamal or Schnorr signatures, producing two signatures with respect to the same randomness for different messages allows to extract the secret signing key. You are right, that is a problem, but it is not covered by any unforgeability notion. – DrLecter Feb 10 '14 at 20:34
1

As already discussed by @fgrieu in his answer and myself in the comments of your question and his answer, the standard notion of security of digital signature schemes, namely (strong) existential unforgeability under adaptively chosen message attacks (UF-CMA), does not cover the case you are concerned about.

At least for hash-then-sign signatures built upon a trapdoor permutation (as RSA), such a signer who efficiently can do this, can be used as an oracle to break the collision resistance of the used hash function.

Nevertheless, it kept me thinking if there is a standard notion which could be applied to any signature scheme and if this has been considered somewhere.

In the Crypto'02 paper Flaws in Applying Proof Methodologies to Signature Schemes, Stern et al. introduce a property which covers exactly the aspect you are targeting in your question (however this is not a commonly investigated property in the design of signature schemes).

Essentially, it is a formalization of the non-repudiation property, which requires that an adversary that is in possession of the secret signing key (and potentially is also able to influence the key generation process) will not be able to produce two messages with the same signature, a so called duplicate signature in their language. Consequently, this attack indeed considers the signer as an adversary.

In Section 4 of the paper, they provide an attack on ECDSA which produces such a duplicate signature, i.e., a signature valid for two distinct messages. if the adversary can control the key generation process used to produce the actual signing key.

Just as a side note, Stern et al. in the same paper also introduce a property denoted as malleability, which is today known strong unforgeability, i.e., it ensures that an adversary (holding the public key) cannot even produce a new signature for a previously obtained signed message. This notion for instance cannot be satisfied by randomizable signatures (such as Camenisch Lysyanskaya signatures), which allow to transform a signature $\sigma$ for some message $m$ into another signature $\sigma'\neq \sigma$ for the same $m$ without requiring the secret signing key.

DrLecter
  • 12,547
  • 3
  • 43
  • 61
  • Thanks @DrLecter, this notion of (non ?)-malleability from Stern (also known strong unforgeability) is the same notion as UF-CMA ? – Dingo13 Feb 27 '14 at 08:48
  • @Dingo13 The standard UF-CMA notion could be called weak unforgeability, as the attackers goal is to output a signature for a message for which he has not already seen a signature. In strong unforgeability, the adversary already suceeds when producing a signature that has not been produced before (this forgery can be for a message for which he has already seen a signature before). So it is a stronger notion as the usual UF-CMA security notion. – DrLecter Feb 27 '14 at 08:51
  • Thanks @DrLecter, the term strong unforgeability is quite recent... This notion of "non-malleability"(="strong UF-CMA") is always valid in secret key settings ? – Dingo13 Feb 27 '14 at 08:58
  • @Dingo13 yes. What do you mean by "same secret key settings"? – DrLecter Feb 27 '14 at 08:59
  • I mean that for secret key cryptography the notions used are the same, and we have always "non-malleability"="strong UF-CMA" – Dingo13 Feb 27 '14 at 09:02
  • @Dingo13 I do not have the exact definiton of non-malleability of MACs at hand and I am not sure whether there is a distinction of weak and strong unforgeabiltiy in the symmetric (MAC) setting. But you may ask this as a seperate question? – DrLecter Feb 27 '14 at 09:05