What is the history of digital signature?

Answer 1

In the famous paper "New Directions in Cryptography", Whitfield Diffie and Martin Hellman first described the notion of a digital signature scheme, although they only conjectured that such schemes existed.[5][6] Soon afterwards, Ronald Rivest, Adi Shamir, and Len Adleman invented the RSA algorithm that could be used for primitive digital signatures[7]. (Note that this just serves as a proof-of-concept, and "plain" RSA signatures are not secure.) The first widely marketed software package to offer digital signature was Lotus Notes 1.0, released in 1989, which used the RSA algorithm. Basic RSA signatures are computed as follows. To generate RSA signature keys, one simply generates an RSA key pair containing a modulus N that is the product of two large primes, along with integers e and d such that e d = 1 mod φ(N), where φ is the Euler phi-function. The signer's public key consists of N and e, and the signer's secret key contains d. To sign a message m, the signer computes σ=md mod N. To verify, the receiver checks that σe = m mod N. As noted earlier, this basic scheme is not very secure. To prevent attacks, one can first apply a cryptographic hash function to the message m and then apply the RSA algorithm described above to the result. This approach can be proven secure in the so-called random oracle model. Other digital signature schemes were soon developed after RSA, the earliest being Lamport signatures[8], Merkle signatures (also known as "Merkle trees" or simply "Hash trees")[9], and Rabin signatures[10]. In 1984, Shafi Goldwasser, Silvio Micali, and Ronald Rivest became the first to rigorously define the security requirements of digital signature schemes[11]. They described a hierarchy of attack models: # In a key-onlyattack, the attacker is only given the public verification key. # In a known message attack, the attacker is given valid signatures for a variety of messages known by the attacker but not chosen by the attacker. # In a chosen message attack, the attacker first learns signatures on arbitrary messages of the attacker's choice. They also describe a hierarchy of attack results: # A total break results in the recovery of the signing key. # A universal forgery attack results in the ability to forge signatures for any message. # A selective forgery attack results in a signature on a message of the adversary's choice. # An existential forgery merely results in some valid message/signature pair not already known to the adversary. They also present the GMR signature scheme, the first that can be proven to prevent even an existential forgery against a chosen message attack.[11] Most early signature schemes were of a similar type: they involve the use of a trapdoor permutation, such as the RSA function, or in the case of the Rabin signature scheme, computing square modulo composite n. A trapdoor permutation family is a family of permutations, specified by a parameter, that is easy to compute in the forward direction, but is difficult to compute in the reverse direction. However, for every parameter there is a "trapdoor" that enables easy computation of the reverse direction. Trapdoor permutations can be viewed as public-key encryption systems, where the parameter is the public key and the trapdoor is the secret key, and where encrypting corresponds to computing the forward direction of the permutation, while decrypting corresponds to the reverse direction. Trapdoor permutations can also be viewed as digital signature schemes, where computing the reverse direction with the secret key is thought of as signing, and computing the forward direction is done to verify signatures. Because of this correspondence, digital signatures are often described as based on public-key cryptosystems, where signing is equivalent to decryption and verification is equivalent to encryption, but this is not the only way digital signatures are computed. Used directly, this type of signature scheme is vulnerable to a key-only existential forgery attack. To create a forgery, the attacker picks a random signature σ and uses the verification procedure to determine the message mcorresponding to that signature.[12] In practice, however, this type of signature is not used directly, but rather, the message to be signed is first hashed to produce a short digest that is then signed. This forgery attack, then, only produces the hash function output that corresponds to σ, but not a message that leads to that value, which does not lead to an attack. In the random oracle model, this hash-and-decrypt form of signature is existentially unforgeable, even against a chosen-message attack.[6] There are several reasons to sign such a hash (or message digest) instead of the whole document. * For efficiency: The signature will be much shorter and thus save time since hashing is generally much faster than signing in practice. * For compatibility:Messages are typically bit strings, but some signature schemes operate on other domains (such as, in the case of RSA, numbers modulo a composite number N). A hash function can be used to convert an arbitrary input into the proper format. * For integrity: Without the hash function, the text "to be signed" may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. However, the receiver of the signed blocks is not able to recognize if all the blocks are present and in the appropriate order.