In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message,
, but has not been created in the past by the legitimate signer.
A signature scheme is secure by a specific definition if no forgery of the associated type is possible.
The following definitions are ordered from lowest to highest achieved security, in other words, from most powerful to the weakest attack.
More general than the following attacks, there is also a total break: when an adversary can recover the private information and keys used by the signer, they can create any possible signature on any message.
[2] Universal forgery is the creation (by an adversary) of a valid signature,
An adversary capable of universal forgery is able to sign messages they chose themselves (as in selective forgery), messages chosen at random, or even specific messages provided by an opponent.
[1] Selective forgery is the creation of a message/signature pair
may be chosen to have interesting mathematical properties with respect to the signature algorithm; however, in selective forgery,
must be fixed before the start of the attack.
The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.
Existential forgery (existential unforgeability, EUF) is the creation (by an adversary) of at least one message/signature pair,
need not have any particular meaning; the message content is irrelevant — as long as the pair,
, is valid, the adversary has succeeded in constructing an existential forgery.
Thus, creating an existential forgery is easier than a selective forgery, because the attacker may select a message
In contrast, in the case of a selective forgery, the challenger can ask for the signature of a “difficult” message.
The RSA cryptosystem has the following multiplicative property:
This property can be exploited by creating a message
[5] A common defense to this attack is to hash the messages before signing them.
[5] This notion is a stronger (more secure) variant of the existential forgery detailed above.
Weak existential forgery is the creation (by an adversary) of at least one message/signature pair,
In contrast to existential forgeries, an adversary is also considered successful if they manages to create a new signature for an already signed message
Strong existential forgery is essentially the weakest adversarial goal.
Therefore the strongest schemes are those that are strongly existentially unforgeable.
This cryptography-related article is a stub.