A digital signature is a cryptographic mechanism used to verify the authenticity and integrity of digital data. We may consider it as a digital version of the ordinary handwritten signatures, but with higher levels of complexity and security.
In simple terms, we may describe a digital signature as a code that is attached to a message or document. After generated, the code acts as proof that the message hasn’t been tampered with along its way from sender to receiver.
Although the concept of securing communications using cryptography dates back to ancient times, digital signature schemes became a possible reality in the 1970s - thanks to the development of Public-Key Cryptography (PKC). So, to learn how digital signatures work, we need to first understand the basics of hash functions and public-key cryptography.
Hashing is one of the core elements of a digital signature system. The process of hashing involves transforming data of any size into a fixed-size output. This is done by a special kind of algorithms known as hash functions. The output generated by a hash function is known as a hash value or message digest.
When combined with cryptography, the so-called cryptographic hash functions can be used to generate a hash value (digest) that acts as a unique digital fingerprint. This means that any change in the input data (message) would result in a completely different output (hash value). And that’s the reason cryptographic hash functions are widely used for verifying the authenticity of digital data.
Public-key cryptography (PKC)
Public-key cryptography, or PKC, refers to a cryptographic system that makes use of a pair of keys: one public key and one private key. The two keys are mathematically related and can be used for both data encryption and digital signatures.
As an encryption tool, PKC is more secure than the more rudimentary methods of symmetric encryption. While older systems rely on the same key to encrypt and decrypt information, PKC allows for data encryption with the public key and data decryption with its corresponding private key.
Other than that, the PKC scheme may also be applied in the generation of digital signatures. In essence, the process consists of hashing a message (or digital data) along with the signer’s private key. Next, the recipient of the message can check if the signature is valid by using the public key provided by the signer.
In some situations, digital signatures may involve encryption, but that isn’t always the case. For instance, the Bitcoin blockchain makes use of PKC and digital signatures, but unlike many tend to believe, there is no encryption in the process. Technically, Bitcoin deploys the so-called Elliptic Curve Digital Signature Algorithm (ECDSA) to authenticate transactions.
How digital signatures work
In the context of cryptocurrencies, a digital signature system often consists of three basic steps: hashing, signing, and verifying.
Hashing the data
The first step is to hash the message or digital data. This is done by submitting the data through a hashing algorithm so that a hash value is generated (i.e., the message digest). As mentioned, the messages can vary significantly in size, but when they are hashed, all their hash values have the same length. This is the most basic property of a hash function.
However, hashing the data is not a must for producing a digital signature because one can use a private key to sign a message that wasn’t hashed at all. But for cryptocurrencies, the data is always hashed because dealing with fixed-length digests facilitates the whole process.
After the information is hashed, the sender of the message needs to sign it. This is the moment where public-key cryptography comes into play. There are several types of digital signature algorithms, each with its own particular mechanism. But essentially, the hashed message will be signed with a private key, and the receiver of the message can then check its validity by using the corresponding public key (provided by the signer).
Put in another way, if the private key is not included when the signature is generated, the receiver of the message won’t be able to use the corresponding public key to verify its validity. Both public and private keys are generated by the sender of the message, but only the public key is shared with the receiver.
It’s worth noting that digital signatures are directly related to the content of each message. So unlike handwritten signatures, that tend to be the same regardless of the message, each digitally signed message will have a different digital signature.
Let’s take an example to illustrate the whole process until the final step of verification. Imagine that Alice writes a message to Bob, hashes it, and then combines the hash value with her private key to generate a digital signature. The signature will work as a unique digital fingerprint of that particular message.
When Bob receives the message, he can check the validity of the digital signature by using the public key provided by Alice. This way, Bob can be sure that the signature was created by Alice because only she has the private key that corresponds to that public key (at least that’s what we expect).
So, it’s crucial for Alice to keep her private key in secret. If another person gets their hands on Alice’s private key, they can create digital signatures and pretend to be Alice. In the context of Bitcoin, this means someone could use Alice’s private key to move or spend her Bitcoins without her permission.
Why are digital signatures important?
Digital signatures are often used to achieve three results: data integrity, authentication, and non-repudiation.
Data integrity. Bob can verify that Alice’s message wasn’t changed along its way. Any modification in the message would produce a completely different signature.
Authenticity. As long as Alice’s private key is kept in secret, Bob can use her public key to confirm that the digital signatures were created by Alice and no one else.
Non-repudiation. Once the signature has been generated, Alice won’t be able to deny having signed it in the future, unless her private key gets somehow compromised.
Digital signatures can be applied to various kinds of digital documents and certificates. As such, they have several applications. Some of the most common use cases include:
Information Technology. To enhance the security of Internet communication systems.
Finance. Digital signatures can be implemented to audits, expense reports, loan agreements, and much more.
Legal. Digital signing of all sorts of business contracts and legal agreements, including governmental papers.
Healthcare. Digital signatures can prevent fraud of prescriptions and medical records.
Blockchain. Digital signature schemes ensure that only the rightful owners of the cryptocurrencies are able to sign a transaction to move the funds (as long as their private keys aren’t compromised).
The major challenges faced by digital signature schemes rely on at least three requirements:
Algorithm. The quality of the algorithms used in a digital signature scheme is important. This includes the choice of reliable hash functions and cryptographic systems.
Implementation. If the algorithms are good, but the implementation is not, the digital signature system will likely present flaws.
Private Key. If the private keys get leaked or somehow compromised, the properties of authenticity and non-repudiation will be invalidated. For cryptocurrency users, losing a private key may result in significant financial losses.
Electronic signatures vs. digital signatures
Simply put, digital signatures relate to one particular kind of electronic signatures - which refer to any electronic method of signing documents and messages. Thus, all digital signatures are electronic signatures, but the opposite isn’t always true.
The main difference between them is the authentication method. Digital signatures deploy cryptographic systems, such as hash functions, public-key cryptography, and encryption techniques.
Hash functions and public-key cryptography are at the core of digital signature systems, which are now applied to a wide range of use cases. If properly implemented, digital signatures can increase security, ensure integrity, and facilitate the authentication of all kinds of digital data.
In the blockchain realm, digital signatures are used to sign and authorize cryptocurrency transactions. They are particularly important for Bitcoin because the signatures ensure that coins can only be spent by the individuals that possess the corresponding private keys.
Although we’ve been using both electronic and digital signatures for years, there is still a lot of room for growth. A great portion of today’s bureaucracy is still based on paperwork, but we will likely see more adoption of digital signature schemes as we migrate to a more digitalized system.