Sorting out signature schemes

Abstract

Digital signature schemes are a fundamental tool for secure distributed systems. It is important to have a formal notion of what a secure digital signature scheme is, so that there is a clear interface between designers and users of such schemes. A definition that seemed final was given by Goldwasser, Micali, and Rivest in 1988, and although most signature schemes used in practice cannot be proved secure with respect to it, they are all built so that they hopefully fulfil it, e.g., by the inclusion of hash functions or redundancy to counter active attacks.Recently, however, several signature schemes with new security properties have been presented. Most of them exist in several variants, and some of them pay for the new properties with restrictions in other respects, whose relation is not always clear. Obviously, these new properties need definitions and some classification. Unfortunately, however, none of the new schemes is covered by the definition mentioned above. Hence the new properties cannot be defined as additions, but each new type of scheme needs a new definition from scratch, although there are similarities between the definitions. This is unsatisfactory.This paper presents (an overview of) a general definition of digital signature schemes that covers all known schemes, and hopefully all that might be invented in future. Additional properties of special types of schemes are then presented in an orthogonal way, so that existing schemes can be classified systematically. It turns out that signature schemes are best defined by a separation of service, structure, and degree of security, with a service specification in temporal logic. Several parts of such a definition can easily be reused for general definitions of other classes of cryptologic schemes.Relations to secure multi-party protocols and logics of authentication are discussed.