Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
86 CHAPTER 4. PROTOCOLS WITH VULNERABLE SIGNATURE SCHEMES<br />
– Directed chosen message attack: this attack is similar to chosen message<br />
attack, except that the list <strong>of</strong> messages for which the intruder obtains<br />
A ′ s signatures may be created after seeing A ′ s public key but before<br />
any signatures are seen.<br />
– Adaptive chosen message attack: an intruder is allowed to use the signer<br />
A as an oracle, that is, not only the intruder may request from the<br />
agent A signatures <strong>of</strong> messages which depend on As public key but he<br />
may also request signatures <strong>of</strong> messages which depend additionally<br />
on previously obtained signatures.<br />
The above attacks are listed in order <strong>of</strong> increasing severity, with the adaptative<br />
chosen message attack being the most severe natural attack an intruder can mount.<br />
Description <strong>of</strong> the breaks. The different notions <strong>of</strong> break a signature scheme we<br />
give below were initially introduced in [117, 153].<br />
We say that an intruder forges a signature if he is able to produce a new signature<br />
which will be accepted as one <strong>of</strong> some other agent.<br />
One might say that the intruder has broken a signature scheme if his attack<br />
allows him to do one <strong>of</strong> the following with a non-negligible probability:<br />
• Total break: an intruder is able to compute the secret key information <strong>of</strong> an<br />
agent.<br />
• Universal forgery: an intruder is able to find an efficient signing algorithm<br />
functionally equivalent to an agent’s signing algorithm.<br />
• Selective forgery: an intruder is able to forge a signature for a particular<br />
message or class <strong>of</strong> messages chosen a priori. Creating the signature does<br />
not directly involve the legitimate signer.<br />
• Existential forgery: an intruder is able to forge a signature for at least one<br />
message. The intruder has little or no control over the message whose<br />
signature is obtained, <strong>and</strong> the legitimate signer may be involved in the<br />
deception.<br />
The kinds <strong>of</strong> “breaks” are listed above in order <strong>of</strong> decreasing severity, the least<br />
the intruder might hope for is to succeed with an existential forgery. We say that<br />
a signature scheme is respectively totally breakable, universally forgeable, selectively<br />
forgeable, or existentially forgeable if it is breakable in one <strong>of</strong> the above senses.<br />
From now on, we are interested only by signature schemes with appendix,<br />
<strong>and</strong> for simplicity, we write “signature schemes” instead <strong>of</strong> “signature schemes<br />
with appendix”.