Template:Context In a cryptographic digital signature or MAC system, forgery is the ability to create a pair consisting of a message ${\displaystyle m}$ and a signature (or MAC) ${\displaystyle \sigma}$ that is valid for ${\displaystyle m}$, where ${\displaystyle m}$ has not been signed in the past by the legitimate signer. There are three types of forgery: Existential, Selective, and Universal.[1]

## Types

### Existential forgery

Existential forgery is the creation (by an adversary) of any message/signature pair ${\displaystyle (m, \sigma)}$, where ${\displaystyle \sigma}$ was not produced by the legitimate signer. The adversary need not have any control over ${\displaystyle m}$; ${\displaystyle m}$ need not have any particular meaning; and indeed it may even be gibberish — as long as the pair ${\displaystyle (m, \sigma)}$ is valid, the adversary has succeeded in constructing an existential forgery.

Existential forgery is essentially the weakest adversarial goal, therefore the strongest schemes are those which are "existentially unforgeable".

### Selective forgery

Selective forgery is the creation (by an adversary) of a message/signature pair ${\displaystyle (m, \sigma)}$ where ${\displaystyle m}$ has been chosen by the challenger prior to the attack. ${\displaystyle m}$ may be chosen to have interesting mathematical properties with respect to the signature algorithm; however, in selective forgery, ${\displaystyle m}$ must be fixed before the start of the attack.

The ability to successfully conduct a selective forgery attack implies the ability to successfully conduct an existential forgery attack.

### Universal forgery

Universal forgery is the creation (by an adversary) of a valid signature ${\displaystyle \sigma}$ for any given message ${\displaystyle m}$. An adversary capable of universal forgery is able to sign messages he chose himself (as in selective forgery), messages chosen at random, or even specific messages provided by an opponent.

## References

1. Template:Cite book

Template:Crypto-stub