3

In the definition of existential unforgeability, there is no detail about the following questions.

In general, can we suppose that a signer is also a possible adversary? When generating a signature, can we suppose that the signer behaves well?

More precisely, suppose that a signer can generate a signature that is valid for another document of his choice. Despite this, for a correctly generated signature, suppose that the signature scheme used is secure when considering an adversary who is not the signer; that is to say, this adversary cannot generate a signature for any other document. Is this signature scheme considered secure?

What is the standard (conventional) hypothesis about that?

I update in reaction to the comment:

In fact,

  1. If the signer behaves well, then the signature is unforgeable (for the signer or any adversary who is not the signer).

  2. If the signer misbehaves, then the signature is forgeable (for the signer, without using the key, and for any adversary).

Is this kind of scheme considered secure in the sense of existential forgeability? Can we suppose that the signer behaves well?

Patriot
  • 3,162
  • 3
  • 20
  • 66
Dingo13
  • 2,917
  • 3
  • 29
  • 46

2 Answers2

3

The standard definition of existential forgery allows the adversary to ask and obtain the signature of any message she wants, and claim success if she can exhibit (with sizable odds) any acceptable (message, signature) pair, for any message for which she did not ask signature.

Update: There is also strong existential unforgeability, where the adversary should not be able to exhibit any acceptable (message, signature) pair for which she did not obtain that signature by asking for the signature of that message. For a use case making the headlines where that strong makes a huge difference, see these links.

Note: in a signature scheme with message recovery, any fraction of the message embedded in the signature needs not be exhibited by the adversary, and is as obtained by the verifier for the purpose of comparison to what the adversary submitted.

Corrected: If "a signer is able to generate a signature which is valid for an other document (that is, message) of his choice", then that scheme is vulnerable to existential forgery. The adversary obtains the signature of the first message, submits that signature unchanged together with the second message, and wins with 100% odds the existential forgery game. Oh no, only the signer could do this, using access to the private key!

Existential forgery is the strongest a strong theoretical criteria for signature. However, it assumes that the signer does not misbehave beside allowing the signature of arbitrary messages; in particular, it is assumed that the signer (or the Smart Card used for signature) does not leak the private key only uses the private key as prescribed, and properly implements every step in the algorithm, like generating truly random numbers.

Update: This spot-on comment by Ricky Demer gives names of security criteria for signatures protected from some attacks by the signer / private key holder.

Update: as pointed by DrLecter in a comment, the standard way to model the signer for a scheme secure against existential forgery (we also say: secure under chosen message attack) is as an oracle that accepts any message and outputs its signature. That oracle is assumed to implement the signature scheme exactly as specified. For more details, I refer to DrLecter's thesaurus of signature security models.

Community
  • 1
fgrieu
  • 149,326
  • 13
  • 324
  • 622
1

As already discussed by @fgrieu in his answer and myself in the comments of your question and his answer, the standard notion of security of digital signature schemes, namely (strong) existential unforgeability under adaptively chosen message attacks (UF-CMA), does not cover the case you are concerned about.

At least for hash-then-sign signatures built upon a trapdoor permutation (as RSA), such a signer who efficiently can do this, can be used as an oracle to break the collision resistance of the used hash function.

Nevertheless, it kept me thinking if there is a standard notion which could be applied to any signature scheme and if this has been considered somewhere.

In the Crypto'02 paper Flaws in Applying Proof Methodologies to Signature Schemes, Stern et al. introduce a property which covers exactly the aspect you are targeting in your question (however this is not a commonly investigated property in the design of signature schemes).

Essentially, it is a formalization of the non-repudiation property, which requires that an adversary that is in possession of the secret signing key (and potentially is also able to influence the key generation process) will not be able to produce two messages with the same signature, a so called duplicate signature in their language. Consequently, this attack indeed considers the signer as an adversary.

In Section 4 of the paper, they provide an attack on ECDSA which produces such a duplicate signature, i.e., a signature valid for two distinct messages. if the adversary can control the key generation process used to produce the actual signing key.

Just as a side note, Stern et al. in the same paper also introduce a property denoted as malleability, which is today known strong unforgeability, i.e., it ensures that an adversary (holding the public key) cannot even produce a new signature for a previously obtained signed message. This notion for instance cannot be satisfied by randomizable signatures (such as Camenisch Lysyanskaya signatures), which allow to transform a signature $\sigma$ for some message $m$ into another signature $\sigma'\neq \sigma$ for the same $m$ without requiring the secret signing key.

DrLecter
  • 12,675
  • 3
  • 44
  • 61