Digital Signatures

Every second, billions of digital signature verifications occur across the internet. When you visit a secure website, your browser verifies the server's certificate. When your phone installs an app update, it verifies the publisher's signature. When a financial system processes a transaction, it verifies the authorization signature. These verifications happen silently, instantaneously, and with mathematical certainty.

Verification is where the cryptographic promise of digital signatures is redeemed. The signer made a commitment with their private key; verification confirms that commitment using only public information. This asymmetry—anyone can verify, but only the signer can sign—is the foundation of digital trust.

But verification isn't merely executing a mathematical function. Real-world verification involves complex trust decisions: Is this the right public key? Has the key been revoked? Was the signature created within an acceptable time window? Is the signing certificate trusted? Understanding verification means understanding both the cryptographic mechanics and the broader trust infrastructure that makes signatures meaningful.

Verification is the counterpart to signing—a mathematical operation that confirms whether a signature is valid for a given message and public key. The core property is simple: if the signature was created using the private key corresponding to the public key, and the message hasn't changed, verification succeeds. Otherwise, it fails.

The Verification Function:

Verify(public_key, message, signature) → {Valid, Invalid}

This function is deterministic: given the same inputs, it always produces the same output. There's no ambiguity—a signature either verifies or it doesn't.

What Verification Proves:

1. Authenticity: The signature was created using the private key corresponding to the provided public key
2. Integrity: The message has not been modified since signing
3. Non-repudiation: The private key holder cannot plausibly deny creating the signature

What Verification Does NOT Prove:

1. Identity: That the public key belongs to a specific person or entity (requires PKI)
2. Authorization: That the signer was authorized to sign this particular message
3. Time of Signing: When the signature was created (requires timestamping)
4. Key Security: That the private key wasn't compromised

Understanding these boundaries is crucial. Verification is a mathematical primitive, not a complete trust decision. Real-world security requires additional infrastructure to establish key ownership and authorization.

Each signature algorithm has a corresponding verification algorithm. Understanding these in detail reveals how the mathematical relationship between public and private keys enables trust.

RSA Verification:

Recall that RSA signing computes σ = H(m)^d mod n, where d is the private exponent. Verification reverses this:

1. Compute σ^e mod n (using public exponent e)
2. This recovers the original padded hash (for RSA-PSS, the encoded message)
3. Verify the padding structure is correct
4. Extract and compare the hash with H(m)

Verify: σ^e mod n = encoded_hash → extract H(m) → compare with Hash(message)

This works because (H(m)^d)^e ≡ H(m)^(d×e) ≡ H(m) (mod n), due to the RSA key relationship where d×e ≡ 1 (mod φ(n)).

ECDSA Verification:

Given signature (r, s), public key Q, and message m:

1. Compute w = s⁻¹ mod n (modular inverse of s)
2. Compute u₁ = H(m) × w mod n
3. Compute u₂ = r × w mod n
4. Compute point R' = u₁G + u₂Q (scalar multiplication on curve)
5. Extract x-coordinate: v = x_{R'} mod n
6. Valid if v = r

The mathematics ensures that the computed point R' matches the R used during signing (whose x-coordinate is r), but only if the signature was created with the private key corresponding to Q.

EdDSA Verification (Ed25519):

Given signature (R, S), public key A, and message m:

1. Decode R as a point on the curve
2. Decode S as a scalar
3. Compute h = H(R || A || m) mod L
4. Check: 8 × S × G = 8 × R + 8 × h × A (point multiplication)

The factor 8 clears the cofactor; if the equation holds, the signature is valid.

Real-world verification extends beyond the cryptographic primitive. A complete verification flow includes input validation, algorithm identification, hash computation, and result handling:

Step 1: Parse and Validate Inputs

• Decode the signature from its encoding format (DER, raw bytes, base64)
• Validate signature structure and component ranges
• Ensure the signature hasn't been truncated or corrupted
• For EC signatures, validate that points are on the curve

Step 2: Identify Algorithm Parameters

• Determine the signature algorithm (RSA-PSS, ECDSA, EdDSA)
• Identify the hash function (SHA-256, SHA-384, etc.)
• For EC algorithms, identify the curve (P-256, Curve25519, etc.)
• Ensure algorithm compatibility with the public key

Step 3: Compute Message Hash

• Hash the message using the specified algorithm
• For detached signatures, ensure correct message is being verified
• For embedded signatures, extract the message first

Step 4: Execute Verification Algorithm

• Apply the algorithm-specific verification as described above
• Handle potential errors (invalid point, out-of-range values)

Step 5: Interpret and Act on Result

• If valid: proceed with trust decision (check certificates, etc.)
• If invalid: determine appropriate response (reject, report, investigate)

When verification fails, understanding why is essential for security. Failure can result from innocent causes (corruption, key mismatch) or malicious activity (forgery, tampering). A well-designed system distinguishes these cases and responds appropriately.

Categories of Verification Failure:

1. Message Modification The most common legitimate failure: the message was altered after signing. This includes:

• Intentional tampering by an attacker
• Accidental corruption during transmission
• Encoding/decoding issues (charset, line endings)
• Whitespace modifications in text processing

2. Signature Corruption The signature itself was damaged:

• Truncation during transmission
• Bit flips from storage/network errors
• Incorrect encoding (Base64 padding, DER format)
• Wrong byte ordering (endianness issues)

3. Key Mismatch The public key doesn't correspond to the signing private key:

• Using the wrong public key entirely
• Public key was substituted (MITM attack)
• Key rotation: new key, old signature
• Certificate for different entity

4. Algorithm Mismatch Verification used different algorithms than signing:

• Wrong hash function
• Different signature scheme
• Incompatible padding mode (PKCS#1 v1.5 vs PSS)
• Curve mismatch for ECDSA

Digital signatures are timeless in a cryptographic sense—a valid signature remains mathematically valid forever. But in practice, time matters enormously. Keys expire, get revoked, or become insecure. Understanding time-based validity is essential for real-world verification.

The Timestamp Problem:

A raw digital signature doesn't prove when it was created. An attacker with a stolen (but expired) key could backdate signatures. A legitimate signature might be challenged as being created after the signer's death or corporate dissolution. Timestamps solve this.

Timestamping Authorities (TSA):

A trusted timestamp requires a third party—a Timestamping Authority:

1. Hash the signature (or document + signature)
2. Submit the hash to a TSA
3. TSA returns a signed timestamp linking the hash to a specific time
4. The TSA's signature proves the document existed at that time

The TSA doesn't see the document content—only the hash—preserving confidentiality. RFC 3161 defines the standard protocol.

Key Validity Windows:

Keys have validity periods:

• Not Before: The key shouldn't be used for signing before this date
• Not After: The key shouldn't be used for signing after this date
• Revocation: The key may be revoked at any time (compromise, personnel change)

Verification Time Considerations:

When verifying, you must answer: was the key valid when the signature was created?

• For recent signatures: check current validity and revocation status
• For historical signatures: need timestamp to prove signature predates expiration/revocation
• For legal documents: long-term validation requires archived timestamps and revocation info

In most real-world scenarios, public keys aren't standalone—they're embedded in certificates that provide identity assurance. Verifying a signature on a certificate requires validating the entire certificate chain back to a trusted root.

Certificate Chain Verification Steps:

1. Build the Chain Collect all certificates from the signature to the root:

• End-entity certificate (signer's certificate)
• Intermediate CA certificates
• Root CA certificate (trusted anchor)

2. Validate Each Certificate For each certificate in the chain:

• Verify the signature (signed by the issuing CA)
• Check validity period (not before, not after)
• Verify the issuer matches the subject of the next certificate
• Check key usage extensions (signing, certification, etc.)
• Validate any critical extensions

3. Check Revocation Status For each certificate:

• CRL (Certificate Revocation List): Download and check the list
• OCSP (Online Certificate Status Protocol): Query the CA's responder
• OCSP Stapling: Accept stapled response from server (for TLS)

4. Verify Trust Anchor The root certificate must be in the verifier's trust store:

• OS-provided trust store
• Application-specific trust store
• Explicit configuration for private PKIs

When verifying many signatures, performance optimization becomes important. Certain signature schemes support batch verification—validating many signatures faster than verifying each individually.

Batch Verification:

For EdDSA and some ECDSA variants, multiple signatures can be verified together:

• Random coefficients are generated for each signature
• All equations are combined into a single multi-scalar multiplication
• If the combined equation holds, all signatures are valid
• If it fails, fall back to individual verification to identify invalid signatures

Batch verification provides ~2x speedup for large batches, as it amortizes fixed costs.

Aggregate Signatures:

Some advanced schemes (BLS signatures) allow multiple signatures to be combined into a single signature:

• n signers each produce a signature on (potentially different) messages
• Signatures are aggregated into a single signature of constant size
• Verification checks all n (message, public key) pairs against the single aggregate

Used in blockchain consensus (Ethereum 2.0) where many validators sign the same message.

Performance Considerations:

• For high-throughput systems (millions of verifications/second), batch where possible
• Precompute public key multiples for frequently-used keys
• Use optimized libraries with assembly implementations
• Consider hardware acceleration (Intel SHA extensions, ARM crypto)

Let's examine how signature verification operates in major security protocols, illustrating the concepts in concrete contexts:

TLS Server Authentication: When you connect to https://example.com:

1. Server sends its certificate chain
2. Client verifies chain to a trusted root CA
3. Server proves possession of private key by signing a handshake hash
4. Client verifies the signature, confirming the server is authentic
5. If verification fails at any step, connection is rejected

Code Signing Verification: When you install software:

1. Extract the signature and certificate from the signed executable
2. Verify the certificate chain to a trusted code signing CA
3. Hash the executable content
4. Verify the signature over the hash
5. Check any additional constraints (timestamping, publisher name)
6. If verification succeeds, execute; otherwise, warn or block

Email Authentication (DKIM): When an email server receives a message:

1. Extract DKIM signature from email headers
2. Retrieve sender's public key from DNS (the selector record)
3. Verify the signature covers the specified headers and body
4. Result influences spam scoring and display to recipients

Verification is where the promise of digital signatures meets reality. Through the mathematical operations and trust decisions we've explored, abstract cryptographic guarantees become concrete trust in practical systems. Let's consolidate our understanding:

What's Next:

With signature creation and verification fully understood, we now turn to applications—the practical deployment of digital signatures across security protocols, software distribution, document authentication, and emerging technologies. You'll see how the theory we've built translates into systems you use every day.