EUF-CMA

EUF-CMA, existential unforgeability under chosen-message attack, is the standard security notion for a digital signature scheme. In the game the attacker receives a public key and an oracle that signs any messages it chooses, adaptively. The attacker wins by outputting a valid signature on any message it never queried, an existential forgery. A scheme is EUF-CMA secure if no efficient attacker wins with non-negligible probability.

Variants and use

A stronger variant, SUF-CMA (strong unforgeability), additionally forbids producing a new signature on an already-signed message, which matters where signatures must be non-malleable. NIST analyzes its post-quantum signature standards in this framework: FIPS 204 specifies ML-DSA, built with a Fiat-Shamir transform, and FIPS 205 specifies the hash-based SLH-DSA; both target EUF-CMA and, in their concrete analyses, strong unforgeability. The notion dates to the 1988 definition of Goldwasser, Micali, and Rivest.

Sources

  1. FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
  2. FIPS 205, Stateless Hash-Based Digital Signature Standard (NIST, 2024)
Cite this entry
"EUF-CMA." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/euf-cma@misc{pqwiki-euf-cma, title = {EUF-CMA}, howpublished = {\url{https://postquantum.wiki/euf-cma}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }