We recognize several different types of forgeries which can be made:
\begin{itemize}
- \item An \emph{existiential forgery} occurs when an adversary creates a
+ \item An \emph{existential forgery} occurs when an adversary creates a
valid signature for some arbitrary message not of its choosing.
\item An \emph{selective forgery} occurs when an adversary creates a valid
signature for a message that it chooses.
\end{slide}
\begin{slide}
- \head{Fixing RSA, 2: \PKCS1 padding (cont.)}
+ \head{\PKCS1 signature padding (cont.)}
- Diagramatically, \PKCS1 signature looks like this:
+ Diagrammatically, \PKCS1 signature looks like this:
\begin{tabular}[C]{r|c|c|c|c|c|} \hlx{c{2-6}v}
\hex{00} & \hex{01} &
\hex{FF} \hex{FF} \ldots \hex{FF} &
\[ \Pr[F] = \Pr[F \land N] + \Pr[F \land \lnot N]
\quad \text{so} \quad
\Pr[F \land \lnot N] = \Pr[F] - \Pr[F \land N]. \]%
- From the above discussion, we ahave
+ From the above discussion, we have
\[ \Pr[V \land N] = \Pr[F \land N]
\quad \text{and} \quad
\Pr[V \land \lnot N] \ge \frac{1}{q_H} \Pr[F \land \lnot N]. \]%
Most of the \ABORT statements in the main inverter routine detect incorrect
signatures. The final one, asserting $x \notin \Xid{I}{map}$, can't happen
- unless the signaure is a duplicate of one we already gave.
+ unless the signature is a duplicate of one we already gave.
The \ABORT{}s in $H$ and \id{sign} detect conditions in which the
adversary has successfully distinguished its simulated environment from