tailieunhanh - Digital Signatures Do Not Guarantee Exclusive Ownership

Digital signature systems provide a way to transfer trust from the public key to the signed data; this is used extensively within PKIs. However, some applications need a transfer of trust in the other direction, from the signed data to the public key. | Digital Signatures Do Not Guarantee Exclusive Ownership Thomas Pornin and Julien P. Stern Cryptolog International Paris France and Abstract. Digital signature systems provide a way to transfer trust from the public key to the signed data this is used extensively within PKIs. However some applications need a transfer of trust in the other direction from the signed data to the public key. Such a transfer is cryptographically robust only if the signature scheme has a property which we name exclusive ownership. In this article we show that the usual signature algorithms such as RSA 3 and DSS 4 do not have that property. Moreover we describe several constructs which may be used to transform a signature scheme into another signature scheme which provides exclusive ownership. 1 Introduction Digital signature schemes based on public-key cryptography are now used in many communication protocols. Signatures are used to convey trust from a public key to the data which is signed if the public key is known by some other mean to be associated with some entity who owns it . the entity has exclusive access to the corresponding private key then a valid signature on some data proves in a way verifiable by third parties and non repudiable by the key owner that the key owner had access to the data and deliberately agreed to that association between his public key and the data. This assumes of course that no other entity than the key owner has access to the private key and that the signature and verification algorithms are uncrackable with today s technology. Various semantics can be attached to the signature PKIs use it as a way to certify that the data is correct the key owner formally guarantees the exactness of the data . In this article we are interested in the reverse problem in which a signature on some data is known and we want to know whether the existence of a public key which validates that signature implies that the