Abstract
Digital signature schemes (DSS) are ubiquitously used for public authentication in the infrastructure of the internet, in addition to their use as a cryptographic tool to construct even more sophisticated schemes such as those that are identity-based. The security of DSS is analyzed through the existential unforgeability under chosen message attack (EUF-CMA) experiment which promises unforgeability of signatures on new messages even when the attacker has access to an arbitrary set of messages and their corresponding signatures. However, the EUF-CMA model does not account for attacks such as an attacker forging a different signature on an existing message, even though the attack could be devastating in the real world and constitutes a severe breach of the security system. Nonetheless, most of the DSS are not analyzed in this security model, which possibly makes them vulnerable to such an attack. In contrast, a better security notion known as strong EUF-CMA (sEUF-CMA) is designed to be resistant to such attacks. This review aims to identify DSS in the literature that are secure in the sEUF-CMA model. In addition, the article discusses the challenges and future directions of DSS. In our review, we consider the security of existing DSS that fit our criterion in the sEUF-CMA model; our criterion is simple as we only require the DSS to be at least secure against the minimum of existential forgery. Our findings are categorized into two classes: the direct and indirect classes of sEUF-CMA. The former is inherently sEUF-CMA without any modification while the latter requires some transformation. Our comprehensive review contributes to the security and cryptographic research community by discussing the efficiency and security of DSS that are sEUF-CMA, which aids in selecting robust DSS in future design considerations.
Highlights
The idea of a digital signature scheme (DSS) was proposed by Diffie and Hellman in 1976 as a necessity to design efficient authenticated electronic communications which can serve as legal evidence in the court of law.[1]
A simple attack for when a DSS is not sEUF-chosen message (CMA) We show a toy example of a simple attack that can be achieved by an attacker if the DSS used for authentication is not sEUF-CMA
We see that the security goal post has been moved from existential unforgeability under chosen message attack (EUF-CMA) to sEUFCMA in the span of a decade and believe this is the right direction forward as DSS is increasingly used in intricate security protocols, which cannot tolerate any design flaw that arises from as simple as malleable signatures
Summary
The idea of a digital signature scheme (DSS) was proposed by Diffie and Hellman in 1976 as a necessity to design efficient authenticated electronic communications which can serve as legal evidence in the court of law.[1]. EUF-CMA does not guarantee that if that an attacker knows (m,σ), it cannot forge (m,σ0) such that σ0 on m is valid This gave rise to a stronger security model, known as strong existential unforgeability or sEUFCMA.[25] Figure 4 shows the interactions of the adversary with the challenger in the sEUF-CMA model. We see that this is the case for the widely used and popular EdDSA which had recently received a provable security treatment.[38] Boneh, Shen and Waters shows that non-deterministic signatures may exhibit sEUF-CMA, such as the Micali-Reyzin signatures,[39] Goh-Jarecki signatures[40] and Boneh-Boyen signatures.[11] The reason for this is that if the forger manages to re-randomize a signature on the same message, the signature constitutes an existential forgery through clever binding of the messages This is a recurring paradigm to design sEUF-CMA signature schemes.[11,41] Since the introduction of the sEUF-CMA model, existing EUF-CMA secure DSS are re-considered in the sEUF-CMA model. DSS in even more complex cryptographic settings such as in certificateless and identity-based settings are using sEUF-CMA as their standard model for security.[77,78,79,80] We see that the security goal post has been moved from EUF-CMA to sEUFCMA in the span of a decade and believe this is the right direction forward as DSS is increasingly used in intricate security protocols, which cannot tolerate any design flaw that arises from as simple as malleable signatures
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
