Cryptographic Hardness Assumptions

As noted in the previous chapter, it is impossible to construct a digital signaturescheme that is secure against an all-powerful adversary. Instead, the best we canhope for is to construct schemes that are secure against computationally bounded adversaries (that, for our purposes, means adversaries running in probabilistic polynomialtime). Even for this “limited” class of adversaries, however, we do not currentlyhave any constructions that can proven, unconditionally, to be secure. In fact,it is not too difficult to see that the existence of a secure signature scheme would imply1 P ≠ NP, a breakthrough in complexity theory. (While there is general belief that P ≠ NP is true, we seem very far away from being able to prove this.) Actually,as we will see below, the existence of a secure signature scheme implies the existenceof one-way functions, something not known to follow from P ≠ NP and thusan even stronger result. (Informally, the issue is that P ≠ NP only guarantees the existence of problems that are hard in the worst case. But a secure signature scheme isrequired to be “hard to break”on the average— in particular, for “average” publickeys generated by signers.)