# Digital signature forgery

(Redirected from Universal forgery)

In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message, $m$ , and a signature (or MAC), $\sigma$ , that is valid for $m$ , where $m$ has not been signed in the past by the legitimate signer. There are three types of forgery: existential, selective, and universal.

## Types

Besides the following attacks, there is also a total break: when adversary can compute the signer's private key and therefore forge any possible signature on any message.

### Existential forgery (existential unforgeability, EUF)

Existential forgery is the creation (by an adversary) of at least one message/signature pair, $(m,\sigma )$ , where $\sigma$ was not produced by the legitimate signer. The adversary need not have any control over $m$ ; $m$ need not have any particular meaning; the message content is irrelevant — as long as the pair, $(m,\sigma )$ , is valid, the adversary has succeeded in constructing an existential forgery.

Existential forgery is essentially the weakest adversarial goal, therefore the strongest schemes are those that are existentially unforgeable.

#### Signature of a product of two messages

Take an algorithm, like RSA, with the multiplicative property:

$\sigma (m1)\cdot \sigma (m2)=\sigma (m1\cdot m2)$ .

This property can be exploited sending a message $m'=m1\cdot m2$ with a signature $\sigma (m')=\sigma (m1\cdot m2)$ .

A common defense to this attack is to hash the messages before signing them.

### Selective forgery (selective unforgeability, SUF)

Selective forgery is the creation of a message/signature pair $(m,\sigma )$ by an adversary, where $m$ has been chosen by the adversary prior to the attack. $m$ may be chosen to have interesting mathematical properties with respect to the signature algorithm; however, in selective forgery, $m$ must be fixed before the start of the attack.

The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.

### Universal forgery (universal unforgeability, UUF)

Universal forgery is the creation (by an adversary) of a valid signature, $\sigma$ , for any given message, $m$ . An adversary capable of universal forgery is able to sign messages he chose himself (as in selective forgery), messages chosen at random, or even specific messages provided by an opponent.