Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
1.2. CRYPTOGRAPHIC PRIMITIVES 7<br />
from the encryption <strong>of</strong> the messages m1 <strong>and</strong> m2 the encryption <strong>of</strong> the new<br />
message m1 ∗ m2 without knowing the encryption key. The RSA public<br />
encryption scheme possesses this property [112].<br />
Prefix property. The prefix property means that one can get from an encrypted<br />
message the encryption <strong>of</strong> any <strong>of</strong> its prefixes, <strong>and</strong> it is formally represented<br />
as follows: from a message enc(< x, y >, z) one can get the message<br />
enc(x, z).<br />
1.2.5 Signature<br />
Digital signature schemes first appeared in W. Diffie <strong>and</strong> M.E. Hellman’s seminal<br />
paper [101]. Their most important goal is to demonstrate the authenticity <strong>of</strong> a<br />
digital message or document: a valid digital signature gives a recipient reason<br />
to believe that the message was created by a known sender, <strong>and</strong> that it was not<br />
altered in transit.<br />
Such schemes are described by three algorithms: the signature generation<br />
“sig”, the verification “ver”, <strong>and</strong> the key generation “G” algorithms. The key<br />
generation algorithm takes as input an agent name A <strong>and</strong> a r<strong>and</strong>om generated<br />
number <strong>and</strong> returns a pair <strong>of</strong> public <strong>and</strong> secret keys, respectively denoted by<br />
P k(A) <strong>and</strong> Sk(A), corresponding to that agent. This r<strong>and</strong>om number allows any<br />
agent to have a different pair <strong>of</strong> keys for each session, <strong>and</strong> that using the same<br />
key generation functions. The signature generation algorithm inputs a message<br />
<strong>and</strong> an agent’s private key, <strong>and</strong> outputs the signature <strong>of</strong> the given agent for the<br />
given message. There are two types <strong>of</strong> verification algorithms:<br />
• The verification algorithm <strong>of</strong> the first type takes as input a message, a signature,<br />
<strong>and</strong> an agent public key, <strong>and</strong> outputs “succeeds” if the given signature<br />
corresponds to the signature done by the given agent for the given<br />
message.<br />
• A verification algorithm <strong>of</strong> the second type takes as input a signature <strong>and</strong><br />
an agent’s public key, recovers the message that has been signed from the<br />
signature <strong>and</strong> returns it provided that the given signature is done by the<br />
given agent.<br />
When the verification algorithm is <strong>of</strong> the first type, we call the signature scheme<br />
“a signature scheme with appendix” <strong>and</strong> when the verification algorithm is <strong>of</strong><br />
the second type, we call the signature scheme “a signature scheme with message<br />
recovery”.<br />
A perfect signature scheme with appendix is represented by the following<br />
equation<br />
ver(x, sig(x, Sk(y)), P k(y)) = 1