Digital signature forgery

From Wikipedia, the free encyclopedia
  (Redirected from Universal forgery)
Jump to: navigation, search

In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message m and a signature (or MAC) \sigma that is valid for m, where m has not been signed in the past by the legitimate signer. There are three types of forgery: existential, selective, and universal.[1]


Besides the following attacks, there is also a total break: when adversary can compute the signer's private key and therefore forge any possible signature on any message[2]

Existential forgery[edit]

Existential forgery is the creation (by an adversary) of at least one message/signature pair (m, \sigma), where \sigma was not produced by the legitimate signer. The adversary need not have any control over m; m need not have any particular meaning; and indeed it may even be gibberish — as long as the pair (m, \sigma) is valid, the adversary has succeeded in constructing an existential forgery.

Existential forgery is essentially the weakest adversarial goal, therefore the strongest schemes are those that are "existentially unforgeable". Nevertheless, many state-of-art signature algorithms allow existential forgery. For example, an RSA forgery can be done as follows:

  • Let e be the RSA public key.
  • Choose a random signature Sig.
  • Send the message as: Sig^e(modn)||Sig(modn).
  • The recipient check the signature: Sig^e==Sig^e so the check will pass.

Note: the sender cannot control the message content so it will be a random message, that may help in some cases.

Multiplication forgery[edit]

This forgery can be used with two messages with their signatures as follows:

  • Let x_1 = S_k(y_1) be RSA signature on the message y_1 under the key k.
  • Analogously, x_2 = S_k(y_2).
  • in that case x_1 \cdot x_2 \pmod{n} will be valid RSA signature on the message y_1 \cdot y_2 \pmod{n} under the key k.[3]

Selective forgery[edit]

Selective forgery is the creation (by an adversary) of a message/signature pair (m, \sigma) where m has been chosen by the adversary prior to the attack. m may be chosen to have interesting mathematical properties with respect to the signature algorithm; however, in selective forgery, m must be fixed before the start of the attack.

The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.

Universal forgery[edit]

Universal forgery is the creation (by an adversary) of a valid signature \sigma for any given message m. An adversary capable of universal forgery is able to sign messages he chose himself (as in selective forgery), messages chosen at random, or even specific messages provided by an opponent.


  1. ^ Vaudenay, Serge (September 16, 2005). A Classical Introduction to Cryptography: Applications for Communications Security (1st ed.). Springer. p. 254. ISBN 978-0-387-25464-7. 
  2. ^ Goldwasser, Shafi; Bellare, Mihir (2008). Lecture Notes on Cryptography. Summer course on cryptography. p. 170. 
  3. ^ Kantarcioglu, Murat. "Digital Signatures" (PDF).