Digital signature forgery

In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message, , and a signature (or MAC), , that is valid for , where has not been signed in the past by the legitimate signer. There are three types of forgery: existential, selective, and universal.

Types

Besides the following attacks, there is also a total break: when adversary can compute the signer's private key and therefore forge any possible signature on any message

Existential forgery

Existential forgery is the creation (by an adversary) of at least one message/signature pair , where was not produced by the legitimate signer. The adversary need not have any control over ; need not have any particular meaning; the message content is irrelevant — as long as the pair is valid, the adversary has succeeded in constructing an existential forgery.

Existential forgery is essentially the weakest adversarial goal, therefore the strongest schemes are those that are existentially unforgeable. Nevertheless, many state-of-art signature algorithms allow existential forgery. For example, an RSA forgery can be done as follows: