Digital Signatures

At the heart of every secure digital transaction lies a remarkable mathematical operation: the generation of a digital signature. This process transforms a private key and a message hash into a cryptographic proof that is trivially easy to verify but computationally impossible to forge.

The elegance of signature generation lies in its asymmetry. Creating a signature requires knowledge of the private key—a secret known only to the signer. But verifying that signature requires only the public key, which can be freely distributed. This fundamental asymmetry enables trust in an untrustworthy world: anyone can verify, but only the authorized party can sign.

In this page, we'll journey through the mathematical machinery behind signature generation. We'll explore the four major families of signature algorithms—RSA, DSA, ECDSA, and EdDSA—understanding not just the 'what' but the 'why' behind each approach. By the end, you'll possess the knowledge to evaluate signature schemes, understand their security guarantees, and appreciate the decades of cryptographic research that makes secure digital communication possible.

Before examining specific algorithms, let's establish the general framework all digital signature schemes share. Understanding this abstraction clarifies what each algorithm must accomplish and enables meaningful comparison.

A Digital Signature Scheme Consists of Three Algorithms:

1. Key Generation (KeyGen) Generates a mathematically related key pair:

• Private Key (sk): Kept secret by the signer; enables signature creation
• Public Key (pk): Shared publicly; enables signature verification

The relationship between sk and pk is one-way: given sk, computing pk is easy; given pk, computing sk is computationally infeasible. This asymmetry is the core requirement.

2. Signing (Sign) Takes the private key and a message (or message hash) and produces a signature:

σ = Sign(sk, m)    or    σ = Sign(sk, H(m))

The signature σ is a fixed-size value that binds the signer's identity (via sk) to the message content.

3. Verification (Verify) Takes the public key, message, and signature, and outputs a boolean indicating validity:

Valid = Verify(pk, m, σ)

If the signature was created using the private key corresponding to pk, and the message hasn't been modified, verification returns true.

Security Requirements:

• Correctness: Honestly generated signatures always verify correctly
• Unforgeability (EUF-CMA): An attacker who sees many (message, signature) pairs still cannot create a valid signature for any new message

RSA, invented in 1977 by Rivest, Shamir, and Adleman, was the first practical public-key signature scheme. Its security rests on the difficulty of factoring large composite numbers—a problem that has resisted efficient solutions for centuries of mathematical investigation.

RSA Key Generation:

1. Choose two large random primes p and q (typically 1024 bits each for RSA-2048)
2. Compute n = p × q (the modulus)
3. Compute φ(n) = (p-1)(q-1) (Euler's totient)
4. Choose public exponent e (commonly 65537 = 2¹⁶ + 1)
5. Compute private exponent d such that e × d ≡ 1 (mod φ(n))

Key Pair:

• Public key: (n, e)
• Private key: d (often stored with p, q for efficiency)

The Core Mathematics: RSA leverages Euler's theorem: for any integer m coprime to n:

m^(φ(n)) ≡ 1 (mod n)

This means: m^(e×d) ≡ m × m^(k×φ(n)) ≡ m × 1^k ≡ m (mod n)

The private operation 'undoes' the public operation, and vice versa.

Textbook RSA Signing (Simplified):

Signature: σ = H(m)^d mod n
Verification: H(m) =? σ^e mod n

The signer raises the hash to the power of d (private exponent). The verifier raises the signature to the power of e (public exponent) and checks if it equals the hash.

RSA-PSS (Probabilistic Signature Scheme):

Modern RSA signatures use RSA-PSS, which incorporates randomness for provable security:

1. Generate a random salt value
2. Combine the message hash with the salt using a masking function
3. Pad the result to n bits using a specific encoding
4. Apply the RSA private operation to the padded value

PSS provides a security proof reduction to the RSA assumption, meaning breaking PSS would require breaking RSA itself.

RSA Signature Characteristics:

• Signature Size: Equal to key size (256 bytes for RSA-2048, 384 bytes for RSA-3072)
• Signing Speed: Slow (modular exponentiation with large private exponent)
• Verification Speed: Fast (small public exponent 65537)
• Key Size: Large (2048-4096 bits for current security)

The Digital Signature Algorithm (DSA) was developed by NIST and adopted as a federal standard (FIPS 186) in 1994. Unlike RSA, DSA can only sign (not encrypt) and produces much smaller signatures. Its security rests on the difficulty of the discrete logarithm problem.

The Discrete Logarithm Problem: Given a large prime p, a generator g, and a value y = g^x mod p, finding x is computationally infeasible. This is the "discrete log" problem—finding the exponent in modular arithmetic.

DSA Domain Parameters:

• p: A large prime (2048-3072 bits)
• q: A prime divisor of (p-1), typically 224-256 bits
• g: A generator of the subgroup of order q in Z_p*

DSA Key Generation:

1. Choose random secret x in range [1, q-1]
2. Compute y = g^x mod p

• Private key: x
• Public key: y (plus domain parameters p, q, g)

DSA Signing:

1. Generate random k in range [1, q-1] (CRITICAL: must be unique per signature)
2. Compute r = (g^k mod p) mod q
3. Compute s = k⁻¹ × (H(m) + x × r) mod q
4. Signature: (r, s)

DSA Verification:

1. Compute w = s⁻¹ mod q
2. Compute u₁ = H(m) × w mod q
3. Compute u₂ = r × w mod q
4. Compute v = (g^u₁ × y^u₂ mod p) mod q
5. Valid if v = r

Why DSA Works (Mathematical Intuition):

The signature (r, s) embeds both the message hash and the private key in a way that only the public key can untangle:

• r encodes a commitment to the random k (via g^k)
• s encodes the message hash H(m) mixed with the private key x

During verification, the equation v = (g^u₁ × y^u₂ mod p) mod q reconstructs r using only public information (y = g^x is the public key). If the signature is valid, this reconstruction matches the original r.

DSA Signature Characteristics:

• Signature Size: ~56-64 bytes (two values, each ~q bits)
• Signing Speed: Moderate (one modular exponentiation)
• Verification Speed: Slower than signing (two exponentiations)
• Key Size: Moderate (public key is p-sized, ~256-384 bytes)

ECDSA is the elliptic curve variant of DSA, providing equivalent security with dramatically smaller keys and signatures. It's the workhorse of modern cryptography, used in TLS, Bitcoin, Ethereum, HTTPS certificates, and countless security protocols.

Elliptic Curve Cryptography Primer: An elliptic curve is defined by an equation y² = x³ + ax + b over a finite field. Points on the curve form a group under an addition operation, and the discrete log problem on elliptic curves—finding n given points P and Q = nP—is even harder per bit than traditional discrete logs.

ECDSA Parameters:

• Curve: Defined by equation coefficients and finite field (e.g., secp256k1, P-256)
• G: Base point (generator) on the curve
• n: Order of G (number of points in the subgroup)

ECDSA Key Generation:

1. Choose random secret d in range [1, n-1]
2. Compute Q = dG (scalar multiplication: adding G to itself d times)

• Private key: d (a 256-bit integer for P-256)
• Public key: Q (a point on the curve, typically 33 or 65 bytes)

ECDSA Signing:

1. Generate random k in range [1, n-1] (same critical uniqueness requirement as DSA)
2. Compute point R = kG = (x_R, y_R)
3. Compute r = x_R mod n (x-coordinate of R)
4. Compute s = k⁻¹ × (H(m) + d × r) mod n
5. Signature: (r, s), typically 64 bytes total

ECDSA Verification:

1. Compute w = s⁻¹ mod n
2. Compute u₁ = H(m) × w mod n
3. Compute u₂ = r × w mod n
4. Compute point R' = u₁G + u₂Q
5. Valid if x_{R'} mod n = r

EdDSA (Edwards-curve Digital Signature Algorithm) represents the state of the art in digital signatures. Developed by Daniel J. Bernstein and colleagues, it addresses known weaknesses in ECDSA while providing excellent performance and security.

Key Innovations:

1. Twisted Edwards Curves: EdDSA uses twisted Edwards curves, which have faster and simpler addition formulas than Weierstrass curves (used by ECDSA). The most common instance is Ed25519, using Curve25519.

2. Deterministic by Design: Unlike ECDSA, EdDSA is inherently deterministic—the nonce is derived from the secret key and message, eliminating the class of attacks that broke Sony's PS3 implementation.

3. Resistance to Side Channels: The algorithms are designed for constant-time implementation, resisting timing attacks that have broken careless ECDSA implementations.

Ed25519 Specifics:

• Uses Curve25519 in twisted Edwards form
• 255-bit field, providing ~128 bits of security
• 64-byte signatures, 32-byte public keys
• Extremely fast: ~71,000 signatures/second on modern CPUs

EdDSA Signing (Ed25519):

1. Hash the secret key seed: h = SHA-512(seed)
2. Derive scalar a from lower 32 bytes of h (with bit clamping)
3. Derive prefix from upper 32 bytes of h
4. Compute R = hash(prefix || message) × G (deterministic nonce)
5. Compute S = (r + H(R || A || M) × a) mod L
6. Signature: (R, S), 64 bytes total

EdDSA Verification:

1. Decode R and S from signature
2. Compute h = H(R || A || M)
3. Check: 8 × S × G = 8 × R + 8 × h × A (The factor 8 clears the cofactor for the curve)

Choosing a signature algorithm requires balancing security, performance, compatibility, and operational considerations. Here's a comprehensive comparison to guide decision-making:

The security of digital signatures depends not only on algorithm choice but on correct implementation. Subtle bugs have broken real-world systems; understanding these pitfalls is essential for practitioners.

Random Number Generation:

For non-deterministic schemes (RSA-PSS, ECDSA without RFC 6979), randomness quality is critical:

• Use cryptographically secure random number generators (CSPRNG)
• Never use predictable sources (time, PID, weak PRNGs)
• Never reuse random values across operations
• Failure: Sony PS3 hack (reused k), Debian OpenSSL bug (predictable keys)

Side-Channel Attacks:

Signature operations can leak information through:

• Timing: Variable-time operations reveal key bits
• Power analysis: Power consumption patterns expose key material
• Cache attacks: Memory access patterns leak secrets

Mitigations:

• Constant-time implementation of all operations
• Blinding techniques for RSA (multiply by random before signing)
• EdDSA designed for constant-time implementation

Fault Attacks:

Hardware faults during signing can leak keys:

• Flipping bits during computation can produce faulty signatures
• Comparing faulty and correct signatures reveals private key
• HSMs (Hardware Security Modules) include fault detection

Digital signatures must be encoded for storage and transmission. Different standards use different encoding formats, and understanding these is essential for interoperability.

RSA Signature Encoding: RSA signatures are simply the signature integer encoded as a big-endian byte string, padded to the modulus size. A 2048-bit RSA signature is always exactly 256 bytes.

DSA/ECDSA Signature Encoding: The (r, s) pair can be encoded in multiple ways:

1. ASN.1 DER Encoding (X.509, TLS < 1.3):

SEQUENCE {
    INTEGER r,
    INTEGER s
}

Variable length (68-72 bytes for P-256) due to integer encoding rules.

2. Fixed-Size Encoding (TLS 1.3, JWT): r and s are each padded to the curve order size and concatenated:

signature = r (32 bytes) || s (32 bytes)

Always exactly 64 bytes for P-256.

EdDSA Signature Encoding: Always fixed-size: R point (32 bytes) || S scalar (32 bytes) for Ed25519.

We've journeyed through the mathematical machinery of digital signature generation—from foundational concepts to algorithm specifics to practical implementation considerations. Let's consolidate these insights:

What's Next:

With signature generation thoroughly understood, we now turn to the complementary process: verification. The next page examines how recipients use public keys to validate signatures, handle edge cases, and establish trust in the signing identity.