Hubbry Logo
Digital signatureDigital signatureMain
Open search
Digital signature
Community hub
Digital signature
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Digital signature
Digital signature
Digital signature
View on Wikipedia
from Wikipedia
Alice signs a message—"Hello Bob!"—by appending a signature which is computed from the message and her private key. Bob receives the message, including the signature, and using Alice's public key, verifies the authenticity of the signed message.
Alice signs a message—"Hello Bob!"—by appending a signature which is computed from the message and her private key. Bob receives both the message and signature. He uses Alice's public key to verify the authenticity of the signed message.

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient.[1][2]

Digital signatures are a type of public-key cryptography, and are commonly used for software distribution,[3][4][5] financial transactions,[citation needed] contract management software,[citation needed] and in other cases where it is important to detect forgery or tampering.

A digital signature on a message or document is similar to a handwritten signature on paper, but it is not restricted to a physical medium like paper—any bitstring can be digitally signed—and while a handwritten signature on paper could be copied onto other paper in a forgery, a digital signature on a message is mathematically bound to the content of the message so that it is infeasible for anyone to forge a valid digital signature on any other message.[6]

Digital signatures are often used to implement electronic signatures, which include any electronic data that carries the intent of a signature,[7] but not all electronic signatures use digital signatures.[8][9]

Definition

[edit]

A digital signature scheme consists of three algorithms:[6][10]

  • A key generation algorithm that selects a private key at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key.
  • A signing algorithm that, given a message and a private key, produces a signature.
  • A signature verifying algorithm that, given the message, public key and signature, either accepts or rejects the message's claim to authenticity.

Two main properties are required:

  1. Correctness: Signatures produced by the signing algorithm with a private key pass the verification algorithm with the corresponding public key.
  2. Security (existential unforgeability under chosen-message attack, or EUF-CMA): It should be computationally infeasible to generate a valid signature for a party without knowing that party's private key.

Formally, a digital signature scheme is a triple of probabilistic polynomial-time algorithms, (G, S, V), satisfying:

  • G (key-generator) generates a public key (pk), and a corresponding private key (sk), on input 1n, where n is the security parameter.
  • S (signing) returns a tag, t, on the inputs: the private key (sk), and a string (x).
  • V (verifying) outputs accepted or rejected on the inputs: the public key (pk), a string (x), and a tag (t).

Here 1n refers to a unary number in the formalism of computational complexity theory.

For correctness, S and V must satisfy

Pr [(pk, sk) ← G(1n), V(pk, x, S(sk, x)) = accepted] = 1.[11]

A digital signature scheme is secure if for every non-uniform probabilistic polynomial time adversary A,

Pr [(pk, sk) ← G(1n), (x, t) ← AS(sk, · )(pk, 1n), xQ, V(pk, x, t) = accepted] < negl(n),

where AS(sk, · ) denotes that A has access to the oracle, S(sk, · ), Q denotes the set of the queries on S made by A, which knows the public key, pk, and the security parameter, n, and xQ denotes that the adversary may not directly query the string, x, on S.[11][12]

History

[edit]

In 1976, Whitfield Diffie and Martin Hellman first described the notion of a digital signature scheme, although they only conjectured that such schemes existed based on functions that are trapdoor one-way permutations.[13][14] Soon afterwards, Ronald Rivest, Adi Shamir, and Len Adleman invented the RSA algorithm, which could be used to produce primitive digital signatures[15] (although only as a proof-of-concept – "plain" RSA signatures are not secure[16]). The first widely marketed software package to offer digital signature was Lotus Notes 1.0, released in 1989, which used the RSA algorithm.[17]

Other digital signature schemes were soon developed after RSA, the earliest being Lamport signatures,[18] Merkle signatures (also known as "Merkle trees" or simply "Hash trees"),[19] and Rabin signatures.[20]

In 1988, Shafi Goldwasser, Silvio Micali, and Ronald Rivest became the first to rigorously define the security requirements of digital signature schemes.[21] They described a hierarchy of attack models for signature schemes, and also presented the GMR signature scheme, the first that could be proved to prevent even an existential forgery against a chosen message attack, which is the currently accepted security definition for signature schemes.[21] The first such scheme which is not built on trapdoor functions but rather on a family of function with a much weaker required property of one-way permutation was presented by Moni Naor and Moti Yung.[22]

Method

[edit]

One digital signature scheme (of many) is based on RSA. To create signature keys, generate an RSA key pair containing a modulus, N, that is the product of two random secret distinct large primes, along with integers, e and d, such that e d  1 (mod φ(N)), where φ is Euler's totient function. The signer's public key consists of N and e, and the signer's secret key contains d.

Used directly, this type of signature scheme is vulnerable to key-only existential forgery attack. To create a forgery, the attacker picks a random signature σ and uses the verification procedure to determine the message, m, corresponding to that signature.[23] In practice, however, this type of signature is not used directly, but rather, the message to be signed is first hashed to produce a short digest, that is then padded to larger width comparable to N, then signed with the reverse trapdoor function.[24] This forgery attack, then, only produces the padded hash function output that corresponds to σ, but not a message that leads to that value, which does not lead to an attack. In the random oracle model, hash-then-sign (an idealized version of that practice where hash and padding combined have close to N possible outputs), this form of signature is existentially unforgeable, even against a chosen-plaintext attack.[14][clarification needed][25]

There are several reasons to sign such a hash (or message digest) instead of the whole document.

For efficiency
The signature will be much shorter and thus save time since hashing is generally much faster than signing in practice.
For compatibility
Messages are typically bit strings, but some signature schemes operate on other domains (such as, in the case of RSA, numbers modulo a composite number N). A hash function can be used to convert an arbitrary input into the proper format.
For integrity
Without the hash function, the text "to be signed" may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. However, the receiver of the signed blocks is not able to recognize if all the blocks are present and in the appropriate order.

Applications

[edit]

As organizations move away from paper documents with ink signatures or authenticity stamps, digital signatures can provide added assurances of the evidence to provenance, identity, and status of an electronic document as well as acknowledging informed consent and approval by a signatory.[citation needed] The United States Government Printing Office (GPO) publishes electronic versions of the budget, public and private laws, and congressional bills with digital signatures.[citation needed] Universities including Penn State, University of Chicago, and Stanford are publishing electronic student transcripts with digital signatures.[citation needed]

Below are some common reasons for applying a digital signature to communications:

Authentication

[edit]

A message may have letterhead or a handwritten signature identifying its sender, but letterheads and handwritten signatures can be copied and pasted onto forged messages. Even legitimate messages may be modified in transit.[6]

If a bank's central office receives a letter claiming to be from a branch office with instructions to change the balance of an account, the central bankers need to be sure, before acting on the instructions, that they were actually sent by a branch banker, and not forged—whether a forger fabricated the whole letter, or just modified an existing letter in transit by adding some digits.

With a digital signature scheme, the central office can arrange beforehand to have a public key on file whose private key is known only to the branch office. The branch office can later sign a message and the central office can use the public key to verify the signed message was not a forgery before acting on it. A forger who doesn't know the sender's private key can't sign a different message, or even change a single digit in an existing message without making the recipient's signature verification fail.[6][1][2]

Encryption can hide the content of the message from an eavesdropper, but encryption on its own may not let recipient verify the message's authenticity, or even detect selective modifications like changing a digit—if the bank's offices simply encrypted the messages they exchange, they could still be vulnerable to forgery. In other applications, such as software updates, the messages are not secret—when a software author publishes a patch for all existing installations of the software to apply, the patch itself is not secret, but computers running the software must verify the authenticity of the patch before applying it, lest they become victims to malware.[2]

Limitations

[edit]

Replays. A digital signature scheme on its own does not prevent a valid signed message from being recorded and then maliciously reused in a replay attack. For example, the branch office may legitimately request that bank transfer be issued once in a signed message. If the bank doesn't use a system of transaction IDs in their messages to detect which transfers have already happened, someone could illegitimately reuse the same signed message many times to drain an account.[6]

Uniqueness and malleability of signatures. A signature itself cannot be used to uniquely identify the message it signs—in some signature schemes, every message has a large number of possible valid signatures from the same signer, and it may be easy, even without knowledge of the private key, to transform one valid signature into another.[26] If signatures are misused as transaction IDs in an attempt by a bank-like system such as a Bitcoin exchange to detect replays, this can be exploited to replay transactions.[27]

Authenticating a public key. Prior knowledge of a public key can be used to verify authenticity of a signed message, but not the other way around—prior knowledge of a signed message cannot be used to verify authenticity of a public key. In some signature schemes, given a signed message, it is easy to construct a public key under which the signed message will pass verification, even without knowledge of the private key that was used to make the signed message in the first place.[28]

Non-repudiation

[edit]

Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property, an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.

Note that these authentication, non-repudiation etc. properties rely on the secret key not having been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an "online" check; e.g., checking a certificate revocation list or via the Online Certificate Status Protocol.[29] Very roughly this is analogous to a vendor who receives credit-cards first checking online with the credit-card issuer to find if a given card has been reported lost or stolen. Of course, with stolen key pairs, the theft is often discovered only after the secret key's use, e.g., to sign a bogus certificate for espionage purpose.

Notions of security

[edit]

In their foundational paper, Goldwasser, Micali, and Rivest lay out a hierarchy of attack models against digital signatures:[21]

  1. In a key-only attack, the attacker is only given the public verification key.
  2. In a known message attack, the attacker is given valid signatures for a variety of messages known by the attacker but not chosen by the attacker.
  3. In an adaptive chosen message attack, the attacker first learns signatures on arbitrary messages of the attacker's choice.

They also describe a hierarchy of attack results:[21]

  1. A total break results in the recovery of the signing key.
  2. A universal forgery attack results in the ability to forge signatures for any message.
  3. A selective forgery attack results in a signature on a message of the adversary's choice.
  4. An existential forgery merely results in some valid message/signature pair not already known to the adversary.

The strongest notion of security, therefore, is security against existential forgery under an adaptive chosen message attack.

Additional security precautions

[edit]

Putting the private key on a smart card

[edit]

All public key / private key cryptosystems depend entirely on keeping the private key secret. A private key can be stored on a user's computer, and protected by a local password, but this has two disadvantages:

  • the user can only sign documents on that particular computer
  • the security of the private key depends entirely on the security of the computer

A more secure alternative is to store the private key on a smart card. Many smart cards are designed to be tamper-resistant (although some designs have been broken, notably by Ross Anderson and his students[30]). In a typical digital signature implementation, the hash calculated from the document is sent to the smart card, whose CPU signs the hash using the stored private key of the user, and then returns the signed hash. Typically, a user must activate their smart card by entering a personal identification number or PIN code (thus providing two-factor authentication). It can be arranged that the private key never leaves the smart card, although this is not always implemented. If the smart card is stolen, the thief will still need the PIN code to generate a digital signature. This reduces the security of the scheme to that of the PIN system, although it still requires an attacker to possess the card. A mitigating factor is that private keys, if generated and stored on smart cards, are usually regarded as difficult to copy, and are assumed to exist in exactly one copy. Thus, the loss of the smart card may be detected by the owner and the corresponding certificate can be immediately revoked. Private keys that are protected by software only may be easier to copy, and such compromises are far more difficult to detect.

Using smart card readers with a separate keyboard

[edit]

Entering a PIN code to activate the smart card commonly requires a numeric keypad. Some card readers have their own numeric keypad. This is safer than using a card reader integrated into a PC, and then entering the PIN using that computer's keyboard. Readers with a numeric keypad are meant to circumvent the eavesdropping threat where the computer might be running a keystroke logger, potentially compromising the PIN code. Specialized card readers are also less vulnerable to tampering with their software or hardware and are often EAL3 certified.

Other smart card designs

[edit]

Smart card design is an active field, and there are smart card schemes which are intended to avoid these particular problems, despite having few security proofs so far.

Using digital signatures only with trusted applications

[edit]

One of the main differences between a digital signature and a written signature is that the user does not "see" what they sign. The user application presents a hash code to be signed by the digital signing algorithm using the private key. An attacker who gains control of the user's PC can possibly replace the user application with a foreign substitute, in effect replacing the user's own communications with those of the attacker. This could allow a malicious application to trick a user into signing any document by displaying the user's original on-screen, but presenting the attacker's own documents to the signing application.

To protect against this scenario, an authentication system can be set up between the user's application (word processor, email client, etc.) and the signing application. The general idea is to provide some means for both the user application and signing application to verify each other's integrity. For example, the signing application may require all requests to come from digitally signed binaries.

Using a network attached hardware security module

[edit]

One of the main differences between a cloud based digital signature service and a locally provided one is risk. Many risk averse companies, including governments, financial and medical institutions, and payment processors require more secure standards, like FIPS 140-2 level 3 and FIPS 201 certification, to ensure the signature is validated and secure.

WYSIWYS

[edit]
Main article: WYSIWYS

Technically speaking, a digital signature applies to a string of bits, whereas humans and applications "believe" that they sign the semantic interpretation of those bits. In order to be semantically interpreted, the bit string must be transformed into a form that is meaningful for humans and applications, and this is done through a combination of hardware and software based processes on a computer system. The problem is that the semantic interpretation of bits can change as a function of the processes used to transform the bits into semantic content. It is relatively easy to change the interpretation of a digital document by implementing changes on the computer system where the document is being processed. From a semantic perspective this creates uncertainty about what exactly has been signed. WYSIWYS (What You See Is What You Sign)[31] means that the semantic interpretation of a signed message cannot be changed. In particular this also means that a message cannot contain hidden information that the signer is unaware of, and that can be revealed after the signature has been applied. WYSIWYS is a requirement for the validity of digital signatures, but this requirement is difficult to guarantee because of the increasing complexity of modern computer systems. The term WYSIWYS was coined by Peter Landrock and Torben Pedersen to describe some of the principles in delivering secure and legally binding digital signatures for Pan-European projects.[31]

Digital signatures versus ink on paper signatures

[edit]

An ink signature could be replicated from one document to another by copying the image manually or digitally, but to have credible signature copies that can resist some scrutiny is a significant manual or technical skill, and to produce ink signature copies that resist professional scrutiny is very difficult.

Digital signatures cryptographically bind an electronic identity to an electronic document and the digital signature cannot be copied to another document. Paper contracts sometimes have the ink signature block on the last page, and the previous pages may be replaced after a signature is applied. Digital signatures can be applied to an entire document, such that the digital signature on the last page will indicate tampering if any data on any of the pages have been altered, but this can also be achieved by signing with ink and numbering all pages of the contract.

Some digital signature algorithms

[edit]
[edit]
For International uses, see Electronic signatures and law

Most digital signature schemes share the following goals regardless of cryptographic theory or legal provision:

  1. Quality algorithms: Some public-key algorithms are known to be insecure, as practical attacks against them have been discovered.
  3. Quality implementations: An implementation of a good algorithm (or protocol) with mistake(s) will not work.
  5. Users (and their software) must carry out the signature protocol properly.
  7. The private key must remain private: If the private key becomes known to any other party, that party can produce perfect digital signatures of anything.
  9. The public key owner must be verifiable: A public key associated with Bob actually came from Bob. This is commonly done using a public key infrastructure (PKI) and the public key↔user association is attested by the operator of the PKI (called a certificate authority). For 'open' PKIs in which anyone can request such an attestation (universally embodied in a cryptographically protected public key certificate), the possibility of mistaken attestation is non-trivial. Commercial PKI operators have suffered several publicly known problems. Such mistakes could lead to falsely signed, and thus wrongly attributed, documents. 'Closed' PKI systems are more expensive, but less easily subverted in this way.

Only if all of these conditions are met will a digital signature actually be any evidence of who sent the message, and therefore of their assent to its contents. Legal enactment cannot change this reality of the existing engineering possibilities, though some such have not reflected this actuality.

Legislatures, being importuned by businesses expecting to profit from operating a PKI, or by the technological avant-garde advocating new solutions to old problems, have enacted statutes and/or regulations in many jurisdictions authorizing, endorsing, encouraging, or permitting digital signatures and providing for (or limiting) their legal effect. The first appears to have been in Utah in the United States, followed closely by the states Massachusetts and California. Other countries have also passed statutes or issued regulations in this area as well and the UN has had an active model law project for some time. These enactments (or proposed enactments) vary from place to place, have typically embodied expectations at variance (optimistically or pessimistically) with the state of the underlying cryptographic engineering, and have had the net effect of confusing potential users and specifiers, nearly all of whom are not cryptographically knowledgeable.

Adoption of technical standards for digital signatures have lagged behind much of the legislation, delaying a more or less unified engineering position on interoperability, algorithm choice, key lengths, and so on what the engineering is attempting to provide.

See also: ABA digital signature guidelines

Industry standards

[edit]

Some industries have established common interoperability standards for the use of digital signatures between members of the industry and with regulators. These include the Automotive Network Exchange for the automobile industry and the SAFE-BioPharma Association for the healthcare industry.

Using separate key pairs for signing and encryption

[edit]

In several countries, a digital signature has a status somewhat like that of a traditional pen and paper signature, as in the 1999 EU digital signature directive and 2014 EU follow-on legislation.[34] Generally, these provisions mean that anything digitally signed legally binds the signer of the document to the terms therein. For that reason, it is often thought best to use separate key pairs for encrypting and signing. Using the encryption key pair, a person can engage in an encrypted conversation (e.g., regarding a real estate transaction), but the encryption does not legally sign every message he or she sends. Only when both parties come to an agreement do they sign a contract with their signing keys, and only then are they legally bound by the terms of a specific document. After signing, the document can be sent over the encrypted link. If a signing key is lost or compromised, it can be revoked to mitigate any future transactions. If an encryption key is lost, a backup or key escrow should be utilized to continue viewing encrypted content. Signing keys should never be backed up or escrowed unless the backup destination is securely encrypted.

See also

[edit]
Wikiversity has learning resources about Digital Signature

Notes

[edit]

References

[edit]

Further reading

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Digital signature

View on Grokipedia
from Grokipedia
A digital signature is the result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin , , and signatory . As an electronic analogue to a handwritten signature, it assures that the claimed signatory created or agreed to the information and that it has not been altered since signing. Digital signatures rely on asymmetric , where a signer uses a private key to generate the on a or document, and a corresponding public key—often distributed via a digital certificate from a trusted —allows anyone to verify its authenticity and . This typically involves hashing the to create a fixed-size digest, then encrypting that digest with the private key to produce the , ensuring efficiency even for large files. Verification reverses this by decrypting the signature with the public key and comparing it to a freshly computed hash of the . The concept of digital signatures emerged in , first proposed by and in their 1976 paper "New Directions in Cryptography," which outlined the need for unforgeable electronic signatures to enable secure digital communications and transactions. The first practical implementation followed in 1978 with the RSA algorithm, detailed in the paper "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by Ronald Rivest, Adi Shamir, and , which demonstrated how trapdoor one-way functions could support both and signing. Over time, standards have evolved to address security needs, with the U.S. National Institute of Standards and Technology (NIST) publishing the Digital Signature Standard (DSS) in Federal Information Processing Standard (FIPS) 186-1 in 1998, initially based on the (DSA). Subsequent revisions, such as FIPS 186-5 in 2023, incorporate advanced schemes like (ECDSA) and Edwards-curve (EdDSA) for greater efficiency, while retaining DSA for legacy systems. In response to threats, NIST has standardized post-quantum algorithms, including Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in FIPS 204 (2024) and Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) in FIPS 205 (2024), ensuring long-term resilience. Digital signatures are widely applied in scenarios requiring trust and , such as authenticating software updates to prevent tampering, securing financial transactions by verifying sender identity, and enabling legally binding electronic contracts through . They also support secure protocols like , certificate authorities for (PKI), and validations, underpinning modern digital economies while complying with regulations like the U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN).

Introduction

Definition

A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document using asymmetric cryptography, which enables the verification of the sender's identity, ensures the message has not been altered, and provides by binding the signer to the message. This scheme relies on a pair of mathematically related keys: a private key known only to the signer and a public key available to verifiers, forming the basis of public-key cryptography as the foundational enabler. The core properties of a digital signature include authenticity, which confirms the message originated from the claimed sender; , which detects any tampering or modification to the message; and , which prevents the signer from denying they produced or sent the message. These properties are achieved through cryptographic transformations that create a unique, tamper-evident "" of the message, typically involving a to produce a fixed-size digest that is then encrypted with the private key. Unlike electronic signatures, which broadly encompass any digital mark or process intended to signify agreement (such as a scanned handwritten signature or simple click-through), digital signatures are cryptographically bound using asymmetric keys, providing stronger guarantees against and alteration. Electronic signatures may lack these cryptographic elements and thus offer lower assurance of authenticity and . In the basic workflow, a key pair is generated using a key generation algorithm, after which the signer applies the signing algorithm to the message (often its hash) using the private key to produce the signature; verification then uses the public key and the signing algorithm to check if the signature matches the message, confirming the properties hold. Formally, a digital signature scheme consists of three algorithms: KeyGen, which generates the public-private key pair; Sign, which produces the signature on a message using the private key; and Verify, which checks the validity of the signature using the public key and message.

Importance and Basic Principles

Digital signatures are pivotal in fostering digital trust, allowing secure interactions in environments where physical presence is impractical. They underpin by authenticating transactions and preventing unauthorized alterations, software updates by verifying the origin and integrity of code to mitigate risks, and legal documents by providing , ensuring that signatories cannot deny their actions and that records hold legal weight under frameworks like the ESIGN Act. Central to their operation are prerequisite concepts like cryptographic hash functions, which compress variable-length messages into fixed-size digests for efficient processing. For instance, SHA-256 generates a 256-bit hash that represents the message uniquely, enabling signatures on the digest rather than the full data, which enhances performance without compromising security. This hashing step is crucial, as it maintains by detecting even minor changes, as any alteration to the message produces a different hash. Public-key infrastructure (PKI) forms the foundational trust model for digital signatures, involving certificates issued by trusted certificate authorities (CAs) that link public keys to verified identities. These X.509 certificates, digitally signed by the CA, allow verifiers to confirm the signer's legitimacy through a chain of trust rooted in well-known authorities. The core process of signature creation is formalized as σ=Sign(sk,H(m)),\sigma = \text{Sign}(sk, H(m)), where σ\sigma is the signature, sksk is the signer's private key, HH is the hash function applied to the message mm. This mechanism provides resistance to forgery, as forging a valid signature requires solving the underlying hard problem (e.g., discrete logarithm in DSA), while hashing ensures scalability by reducing the input size for the computationally intensive signing operation.

Historical Development

Early Concepts

The foundational ideas for digital signatures emerged in the mid-1970s with the invention of , which introduced asymmetric key pairs to enable secure without shared secrets. In their seminal 1976 paper, and outlined the concept of digital signatures as a means to provide and for electronic messages, where a signer could produce a signature using a private key that anyone could verify with the corresponding public key, all without exposing the private key to forge future signatures. This approach, detailed in "New Directions in Cryptography," shifted cryptography from symmetric systems—where and decryption used the same key—to asymmetric ones, laying the groundwork for signatures as a distinct primitive separate from . Building on this framework, the RSA algorithm, proposed by Ronald Rivest, , and in their 1978 paper (submitted in 1977), became the first practical digital signature scheme. It leveraged the computational difficulty of factoring large composite numbers: the signer encrypted a message hash with their private key (derived from secret prime factors), producing a signature verifiable by decrypting it with the public key (the product of those factors and an exponent). This method allowed efficient verification while keeping signing secure, marking a key advancement in realizing Diffie and Hellman's vision for practical use in systems like electronic mail. Another early proposal came from and in 1978, who suggested a digital signature scheme based on the , an NP-complete subset sum variant made "trapdoor" easy to solve with secret knowledge. The scheme generated a public knapsack instance from a superincreasing private one, allowing the signer to encode message bits as subset sums for verification, but it suffered from security flaws and was broken shortly after by lattice-based attacks. Despite its insecurity, this work highlighted alternative mathematical foundations beyond factoring, though it underscored the nascent field's vulnerabilities. Throughout the 1970s, these innovations grappled with substantial hurdles, including severe computational constraints—public-key operations like RSA processed only a few thousand bits per second on era hardware, roughly 1/1000th the speed of symmetric ciphers like DES—and the complete absence of standards, which fueled from traditional cryptographers and delayed broader acceptance. These limitations confined early digital signatures to theoretical and experimental realms, emphasizing the need for optimized algorithms and eventual efforts.

Key Milestones and Adoption

The first major commercial implementation of digital signatures occurred in 1989 with the release of Lotus Notes 1.0, a platform that incorporated RSA-based digital signatures for authenticating and securing documents and communications. This marked a transition from theoretical concepts to practical , enabling secure and in enterprise environments. In 1991, the National Institute of Standards and Technology (NIST) proposed the (DSA) as part of efforts to standardize secure for government and commercial use. That same year, (PGP) software was released by , introducing digital signatures for email encryption and signing, which quickly gained popularity among individuals and organizations for secure messaging. The mid-1990s saw further standardization, with the version 3 format proposed in 1994 to define (PKI) certificates, facilitating the binding of public keys to identities for broader digital signature verification. Concurrently, the integration of digital signatures into SSL (Secure Sockets Layer) protocols during the 1990s, evolving into TLS, enabled secure web transactions by authenticating servers and protecting data integrity in e-commerce. Early legal frameworks began recognizing digital signatures to promote adoption. The Utah Digital Signature Act of 1995 was the first law to grant legal validity to digital signatures using PKI, establishing licensing for certification authorities and setting precedents for electronic contracts. Federally, the Electronic Signatures in Global and National Commerce Act (ESIGN) was enacted in 2000, providing nationwide legal equivalence for electronic signatures and records in interstate commerce, thereby removing barriers to their use in business transactions. These developments drove the shift from academic experimentation—such as early schemes like RSA—to widespread commercial application, particularly in , where digital signatures became essential for verifying transactions and ensuring . By the 2000s, this adoption supported billions of secure online interactions annually, underpinning the explosive growth of digital commerce.

Technical Mechanisms

Key Generation

Key generation is a probabilistic process that produces a private key sksk and a corresponding public key pkpk for use in digital signatures, typically parameterized by a security level nn (often expressed as a ) to ensure computational hardness against attacks. This process relies on the principles of asymmetric cryptography, where the keys are mathematically related but computationally infeasible to derive one from the other without solving hard problems like . The security parameter determines the key length, which provides a specific level of protection against brute-force or algorithmic attacks; for instance, RSA keys of 2048 bits are recommended for at least 112 bits of strength, based on the estimated difficulty of factoring the modulus. Longer keys, such as 3072 bits, offer higher (up to 128 bits) but increase computational overhead, with choices guided by standards that balance and performance. A representative example is the RSA , where two large prime numbers pp and qq are randomly selected such that pq|p - q| is sufficiently large to prevent attacks exploiting closeness. The modulus n=p×qn = p \times q is computed, and a public exponent ee (commonly , an odd prime) is chosen coprime to ϕ(n)=(p1)(q1)\phi(n) = (p-1)(q-1). The private exponent dd is then derived as the of ee modulo ϕ(n)\phi(n), satisfying d×e1(modϕ(n))d \times e \equiv 1 \pmod{\phi(n)}, yielding the public key (e,n)(e, n) and private key (d,n)(d, n). Primes pp and qq are generated using probabilistic primality tests like Miller-Rabin to ensure they are prime with overwhelming probability. Randomness plays a critical role in key generation to prevent predictability and ensure the keys' uniqueness and security; approved random bit generators (RBGs), such as those in , must be used to produce seeds and candidates with entropy matching the security strength. Inadequate randomness can lead to weak keys vulnerable to attacks, so generation occurs in secure environments like FIPS 140-validated modules. The private key must remain strictly secret to the owner, while the public key is distributed openly, often embedded in digital certificates issued by trusted authorities to bind it to the owner's identity and enable verification. Certificates ensure the public key's authenticity and during sharing.

Signing and Verification Processes

The signing process begins with the computation of a cryptographic hash of the , typically denoted as H(m)H(m), where mm is the original and HH is a secure one-way such as SHA-256. This hash produces a fixed-length digest that succinctly represents the , regardless of its size. The signer then uses their private key sksk to generate the digital signature σ=Sign(sk,H(m))\sigma = \text{Sign}(sk, H(m)), which mathematically binds the hash to the private key through operations like in schemes such as RSA. This step ensures that the signature can only be produced by the private key holder, providing authenticity. Verification involves the recipient recomputing the hash H(m)H(m') of the received message mm' and using the signer's public key pkpk to check whether Verify(pk,m,σ)\text{Verify}(pk, m', \sigma) evaluates to true. This check typically decrypts or processes σ\sigma to recover a value that must match H(m)H(m'), confirming both the message's integrity (no tampering) and origin (from the private key holder). If the hashes do not match, the signature is invalid, indicating potential tampering with the message or an attempt at forgery using an unauthorized key. The process relies on the asymmetry of , where verification is computationally feasible for anyone with the public key but forging requires the private key. A key efficiency advantage of this mechanism is that the full message is not directly signed or encrypted, which would be impractical for large data; instead, only the compact hash (e.g., 256 bits for SHA-256) undergoes the intensive private-key operation, allowing signatures on documents of arbitrary length with minimal computational overhead. For illustration in the RSA scheme, the signing can be expressed as:

hash = SHA256(message) [signature](/page/Signature) = modular_exponentiation(hash, private_exponent, modulus)

hash = SHA256(message) [signature](/page/Signature) = modular_exponentiation(hash, private_exponent, modulus)

Verification follows:

decrypted_hash = modular_exponentiation(signature, public_exponent, modulus) if decrypted_hash == SHA256(received_message) then valid

decrypted_hash = modular_exponentiation(signature, public_exponent, modulus) if decrypted_hash == SHA256(received_message) then valid

This hashing-based approach scales well for real-world applications like or .

Security Foundations

Core Notions of Security

The core security properties of digital signature schemes ensure their reliability in cryptographic protocols. A fundamental requirement is correctness, which mandates that any signature generated by the legitimate signer on a verifies successfully under the corresponding key. This property holds for all valid key pairs and messages, assuming no computational errors in the underlying algorithms. Unforgeability captures the primary goal, preventing adversaries from generating valid on unauthorized . Under a known-message attack (EUF-KMA), an adversary gains access to a fixed set of message- pairs but cannot produce a valid for any new outside this set. This notion provides basic protection but is considered weak, as real-world adversaries often adapt their queries dynamically. A stronger variant, existential unforgeability under chosen-message attack (EUF-CMA), assumes the adversary can adaptively request on chosen during the attack and still fails to forge a valid on a previously unsigned with non-negligible probability. EUF-CMA, introduced as the standard definition, aligns with the adaptive nature of signing and verification processes where signers respond to arbitrary requests. Digital signatures also incorporate security against replay attacks, where an adversary attempts to reuse a valid signature in a new . By binding the signature tightly to the specific content—including potential nonces or timestamps—verification ensures that replayed signatures fail unless the full message matches the intended use, thus maintaining without additional mechanisms. The of these notions relies on the hardness of one-way functions, which are easy to compute in but infeasible to invert computationally. Digital signature constructions, such as those based on permutations, leverage these functions to prevent by ensuring that signature generation exposes no invertible information about the private key. Additionally, collision-resistant hash functions are essential in practical schemes, particularly in hash-and-sign paradigms, where they compress messages while preserving unforgeability; finding collisions would allow an adversary to forge signatures by substituting messages with the same hash value. Formally, a digital signature scheme is secure if no probabilistic polynomial-time (PPT) adversary can break its unforgeability (e.g., under EUF-CMA) except with negligible probability in the security parameter. This definition bounds the adversary's success to events rarer than any inverse polynomial, ensuring robustness against efficient attacks.

Adversarial Models and Proofs

In the field of digital signatures, adversarial models define the capabilities and resources available to an attacker attempting to forge a valid signature, providing a framework to evaluate the of signature schemes. These models range from weaker to stronger assumptions about the adversary's access to information. The weakest is the key-only attack (), where the adversary has access only to the verification key and must produce a forgery without any interaction with the signer. A slightly stronger model is the non-adaptive chosen-message attack (non-adaptive CMA), in which the adversary selects a set of messages in advance and obtains their valid signatures before attempting to forge a signature on a new message. The most stringent model is the adaptive chosen-message attack (CMA), also known as the chosen-message attack, where the adversary can dynamically choose messages to be signed based on previous signatures received, simulating a realistic interactive threat scenario. Security in these models requires that the probability of the adversary successfully forging a signature be negligible, typically bounded by 1/poly(n), where n is the security parameter and poly(n) is a polynomial function, ensuring that the attack's success chance decreases rapidly as computational resources grow. The existential unforgeability under chosen-message attack (EUF-CMA) serves as a core security notion in the adaptive CMA model. Formalization of these security models was pioneered by , Micali, and Rivest in 1988, who introduced a rigorous framework for digital signatures secure against adaptive chosen-message attacks, shifting the focus from ad-hoc constructions to provably secure schemes. Proofs of security for digital signature schemes typically rely on reductionist techniques, demonstrating that if an adversary can forge a signature with non-negligible probability, then it can solve an underlying hard computational problem, such as the RSA assumption, which posits the difficulty of factoring large composite numbers given their product. For instance, the security of the RSA-based Full Domain Hash signature scheme reduces to the , showing that forgery implies efficient factoring. Despite these advancements, standard digital signature models have limitations, notably the lack of forward , which would protect past signatures even if the current signing key is ; forward-secure schemes address this by ensuring that compromise of the current key does not allow forgery of previously generated signatures.

Digital Signature Algorithms

Classical Algorithms

Classical digital signature algorithms rely on hard mathematical problems such as and the problem, forming the backbone of pre-quantum for and verification. These schemes, developed in the late 1970s and 1990s, provide under the assumption that inverting these problems is computationally infeasible with classical computers. They typically involve generating a key pair, signing a hash with the private key, and verifying the signature using the public key. The RSA algorithm, proposed by Rivest, Shamir, and Adleman in 1978, is one of the earliest and most widely adopted classical schemes based on the difficulty of factoring the product of two large primes. produces a modulus n=pqn = p q and private exponent dd, with the public exponent ee satisfying ed1(modϕ(n))e d \equiv 1 \pmod{\phi(n)}, where ϕ\phi is . To sign a message mm, the signer computes the hash H(m)H(m) and produces the signature σ=(H(m))dmodn\sigma = (H(m))^d \mod n. Verification checks if H(m)σemodnH(m) \equiv \sigma^e \mod n. To prevent deterministic attacks and ensure probabilistic security, RSA signatures incorporate schemes: the v1.5 scheme adds structured padding for basic randomness, while the more secure Probabilistic Signature Scheme (PSS) uses a random salt and hash-based mask generation for provable security against chosen-message attacks. PSS, formalized in version 2.1, achieves tight security reductions to the RSA assumption, making it preferable for modern implementations. The Digital Signature Algorithm (DSA), standardized by NIST in 1994 as part of the Digital Signature Standard (DSS), operates over finite fields and relies on the discrete logarithm problem. It uses a large prime pp, a subgroup order qq, a generator gg, and private key xx, with public key y=gxmodpy = g^x \mod p. Signing involves selecting a random ephemeral key kk, computing r=(gkmodp)modqr = (g^k \mod p) \mod q, and s=k1(H(m)+xr)modqs = k^{-1} (H(m) + x r) \mod q, yielding the signature pair (r,s)(r, s). Verification computes w=s1modqw = s^{-1} \mod q, u1=H(m)wmodqu_1 = H(m) w \mod q, u2=rwmodqu_2 = r w \mod q, and checks if (gu1yu2modp)modq=r(g^{u_1} y^{u_2} \mod p) \mod q = r. DSA's fixed-size signatures (twice the bit length of qq) make it efficient for certain applications, though it requires careful random number generation to avoid key recovery. An extension of DSA, the Elliptic Curve Digital Signature Algorithm (ECDSA), replaces finite field operations with for enhanced efficiency, achieving equivalent with smaller keys—typically 256 bits versus 3072 bits for RSA. ECDSA uses a curve like secp256k1, with private key dd and public key Q=dGQ = d G, where GG is the base point. Signing selects ephemeral kk, computes point (x1,y1)=kG(x_1, y_1) = k G, r=x1modnr = x_1 \mod n (curve order nn), and s=k1(H(m)+dr)modns = k^{-1} (H(m) + d r) \mod n. Verification involves w=s1modnw = s^{-1} \mod n, u1=H(m)wmodnu_1 = H(m) w \mod n, u2=rwmodnu_2 = r w \mod n, point (x1,y1)=u1G+u2Q(x_1, y_1) = u_1 G + u_2 Q, and checks x1modn=rx_1 \mod n = r. ECDSA's adoption stems from its computational advantages; for instance, it serves as the standard for transaction signing in , utilizing the secp256k1 curve for compact, fast operations in resource-constrained environments. However, vulnerabilities arise from poor ephemeral key management, as demonstrated in 2010 when hackers from fail0verflow exploited Sony's implementation, where nonce reuse in ECDSA signatures allowed recovery of the private key used for signing, compromising the console's model. The Edwards-curve Digital Signature Algorithm (EdDSA), specified in RFC 8032 (2016), is another elliptic curve-based scheme using twisted Edwards curves for improved performance and resistance to side-channel attacks. It employs deterministic nonce generation to avoid ECDSA's randomness issues, using curves like (for 128-bit security) or Ed448. Key generation derives the private key as a scalar from a , with public key Q=aBQ = aB (base point BB, scalar aa). Signing hashes the message with the private key seed to produce a nonce rr, computes R=rBR = rB, then h=H(RAM)h = H(R || A || M), and S=r+hamodlS = r + h a \mod l (order ll), yielding signature (R,S)(R, S). Verification checks h=H(RAM)h = H(R || A || M) and SB=R+hAS B = R + h A. EdDSA's 64-byte signatures and fast operations make it suitable for protocols like SSH and TLS, offering security equivalent to ECDSA with better implementation safety. Other classical approaches include hash-based schemes like the Lamport one-time signature, introduced by Leslie Lamport in 1979 as a foundational construction using one-way functions. For an nn-bit message, the private key consists of 2n2n random bit strings, and the public key is their hashes. Signing reveals the private bits matching the message bits, while verification checks that revealed bits hash to the public key. Designed for single-use to prevent forgery, Lamport signatures offer provable security under the collision resistance of the hash function but are limited by large key and signature sizes, restricting them to niche, low-volume applications. In terms of performance, RSA becomes slower with larger keys needed for equivalent security (e.g., 3072-bit RSA versus 256-bit ECDSA), with signing times often 5-10 times higher due to on bigger operands. ECDSA, leveraging arithmetic, enables faster signing and verification—up to 10 times quicker on comparable hardware—making it suitable for high-throughput systems like protocols. These trade-offs highlight ECDSA's preference in modern classical deployments despite shared vulnerabilities to implementation flaws.

Post-Quantum Algorithms

Post-quantum digital signature algorithms are designed to resist attacks from quantum computers, which can efficiently break classical schemes like RSA and ECC using . These quantum-resistant signatures rely on mathematical problems believed to be hard even for quantum adversaries, such as lattice problems, hash functions, and multivariate polynomials. Lattice-based signatures, such as CRYSTALS- (standardized as ML-DSA in FIPS 204), use the hardness of module lattice problems like Module (MLWE) and Module Short Integer Solution (MSIS). applies the Fiat-Shamir with Aborts paradigm to generate compact signatures, achieving security levels comparable to AES-128 or higher, with public key sizes around 1.3-2.6 KB and signature sizes of approximately 2.4-4.6 KB for recommended parameters. Hash-based signatures, exemplified by SPHINCS+ (standardized as SLH-DSA in FIPS 205), derive security solely from cryptographic hash functions without relying on number-theoretic assumptions. They extend one-time signature schemes, such as Winternitz One-Time Signatures (WOTS), to many-time use via hypertrees built on s; for instance, the root H(\text{leaf}_i || \text{auth_path}_i) aggregates authentication paths to verify multiple signatures efficiently while maintaining statelessness. Multivariate polynomial-based schemes, like , solve systems of quadratic equations over finite fields but have been rendered insecure by key recovery attacks that break them in under a day on standard hardware. In August 2024, NIST finalized FIPS 204 and FIPS 205 as primary standards for post-quantum signatures, selecting ML-DSA for general-purpose use due to its balance of efficiency and security, and SLH-DSA as a backup relying only on hashes. To diversify options and address specific needs like smaller signatures, NIST announced 14 candidates advancing to the second round of its additional digital signature standardization process in October 2024, with further evaluations ongoing as of late 2025 and standards anticipated in subsequent years. These algorithms produce larger outputs than classical counterparts— signatures are approximately 30-70 times larger than those of (e.g., 2.4 KB vs. 64 bytes for Ed25519)—posing challenges for bandwidth-constrained environments, while signing speeds are typically 1-5 times slower than classical schemes like ECDSA, verification is often comparable or faster on commodity hardware, though optimizations like may be needed for high-performance use cases. Adoption is accelerating, with hybrid post-quantum TLS implementations integrating these signatures into certificates; by late 2025, Cloudflare reported over 50% of its traffic using post-quantum protections, including signature schemes in protocols like TLS 1.3. Transition efforts emphasize crypto-agility to swap algorithms without system overhauls, though larger key sizes increase storage demands by up to 10x, and performance tuning remains critical for real-world deployment.

Applications

Authentication and Integrity

Digital signatures serve a fundamental purpose in by verifying the identity of the signer through their private key and in ensuring by detecting any alterations to the signed content via cryptographic hashing. This dual functionality allows recipients to confirm that the data originates from the claimed source and remains unchanged, fostering trust in digital communications and transactions without relying on physical verification methods. In software distribution, digital signatures are widely employed through code signing certificates to authenticate the publisher's identity and validate the integrity of executable files, thereby mitigating risks such as malware injection during downloads or updates. For instance, Authenticode enables developers to sign Windows binaries, allowing operating systems to chain the certificate back to a trusted root authority and alert users to unsigned or tampered code. This mechanism has become essential for platform stores and enterprise deployments, where unsigned software may be blocked or flagged to protect end-users. For email and document management, protocols like apply digital signatures to messages and attachments, enabling recipients to verify sender authenticity and detect tampering, while PDF signatures in tools like similarly certify document integrity by embedding signatures that invalidate upon unauthorized edits. The U.S. Government Publishing Office (GPO) has utilized digital signatures for its electronic publications since the 2000s, beginning with the authentication of the online Federal Budget in January 2008 to provide verifiable authenticity and prevent alterations in official records. In this process, the signature is typically appended or embedded in the file, and verification involves recomputing the hash of the data and comparing it against the signature decrypted with the signer's public key, which is validated through a to a (CA). A key limitation of digital signatures is that they do not encrypt the underlying content, offering no protection against unauthorized reading; confidentiality requires separate mechanisms, such as symmetric or asymmetric encryption applied to the data prior to signing.

Non-Repudiation

Non-repudiation is a core security service provided by digital signatures, ensuring that the signer cannot plausibly deny having created or approved a specific message or document. This property is achieved through asymmetric cryptography: the signer uses their private key to generate a signature that is computationally infeasible to forge without that key, while the corresponding public key enables any third party to verify the signature's validity and confirm it originated from the claimed signer. As defined in cryptographic standards, this mechanism supports determinations by independent parties that a message was indeed signed by the specified entity, distinguishing non-repudiation from mere authentication by providing evidentiary value in potential disputes. In practical applications, digital signatures enable for high-stakes electronic contracts, where they bind the signer's identity to the agreement, preventing denial of consent or authorship. Similarly, in financial transactions such as those processed via the network, qualified certificates supporting digital signatures ensure of message origin and content, facilitating secure interbank communications without fear of repudiation claims. These uses leverage the signature's cryptographic binding to enforce accountability in legally sensitive contexts. To strengthen against replay attacks—where a valid signature might be reused at a later time—digital signatures are often augmented with services. The Time-Stamp Protocol outlined in RFC 3161 allows a Time-Stamp Authority (TSA) to issue a verifiable token, cryptographically proving the signature's existence and integrity as of a specific point in time, thereby establishing temporal evidence for . Legally, digital signatures serve as the equivalent of traditional "signed and sealed" documents, providing enforceable proof of intent and origin in jurisdictions worldwide. , for instance, the Electronic Signatures in Global and National Commerce Act (ESIGN) accords digital signatures the same validity as handwritten ones for establishing in commercial transactions, provided they meet reliability criteria. Comparable frameworks, such as the EU's Regulation, recognize qualified digital signatures as creating presumptions of authenticity and in court. A significant challenge to arises from private key , where an unauthorized party could generate valid signatures, allowing the legitimate signer to plausibly deny subsequent ones by claiming prior . This risk is mitigated through certificate revocation protocols, such as the use of Certificate Revocation Lists (CRLs) or (OCSP), which enable rapid invalidation of compromised keys and notify verifiers to reject associated signatures.

Blockchain and Digital Assets

In blockchain systems, digital signatures are essential for authorizing transactions, ensuring that only the rightful owner can initiate transfers of digital assets. For instance, in Bitcoin and Ethereum networks, the Elliptic Curve Digital Signature Algorithm (ECDSA), a classical cryptographic method, is used where a user's private key signs a hash of the transaction data to prove ownership and prevent unauthorized alterations. This process verifies the signer's control over the associated public key-derived address, enabling secure, decentralized value transfers without intermediaries. Digital signatures also play a in non-fungible tokens (NFTs), particularly under standards like ERC-721 on , where they verify ownership transfers and authenticate metadata linked to unique digital assets. By signing transaction hashes or off-chain messages, owners can prove and enable tamper-proof transfers, such as updating NFT attributes or confirming minting rights through whitelists. This mechanism ensures that NFT ownership records on the remain immutable and verifiable by any party. As of 2025, NFT applications have evolved beyond collectibles, with digital signatures facilitating NFT-based digital identities for tamper-proof verification of credentials like passports or licenses, and enabling fractional ownership proofs for assets such as through tokenized shares. These trends integrate deeply with ecosystems, where signatures secure (DeFi) protocols by authenticating user interactions and collateral claims in lending or yield farming. A notable risk in blockchain applications arises from "blind signing," where users approve smart contract transactions without fully understanding the encoded actions, potentially leading to unintended fund transfers or exploitations in DeFi environments. Conversely, digital signatures enhance integrity, as seen in Food Trust, a Fabric-based platform that uses cryptographic signatures to secure transaction records, enabling rapid of food products from to and reducing in global networks. The NFT sector experienced explosive growth post-2020, with sales reaching $17.6 billion in before peaking in 2022, followed by a significant decline, though showing signs of recovery in 2025 with year-to-date sales exceeding $10 billion as of .

Security Precautions

Hardware-Based Protections

Hardware-based protections for digital signatures primarily involve specialized devices that securely store and manage private keys, preventing unauthorized access or extraction essential for generating valid signatures. Hardware Security Modules (HSMs) and smart cards are designed as tamper-resistant environments, often certified to Level 3 standards by the National Institute of Standards and Technology (NIST), ensuring robust physical and logical safeguards against intrusion. These devices perform cryptographic operations, such as and signing, entirely within isolated hardware boundaries, thereby protecting the private key—the critical component for non-repudiable signatures—from software-based attacks or device compromise. HSMs, including network-attached variants like Thales Luna Network HSMs, enable server-side digital signing for high-volume applications such as public key infrastructures (PKIs) and certificate authorities, supporting up to 20,000 elliptic curve cryptography (ECC) operations per second. To mitigate risks like keylogger interception during authentication, these systems incorporate separate PIN entry devices (PEDs), such as the Luna PED, which handle password or multi-factor inputs without exposing credentials to the host system. Tamper-evident designs and secure transport modes further ensure that keys remain protected even during physical relocation or maintenance. Portable USB-based solutions, exemplified by YubiHSM 2 FIPS and Nitrokey HSM 2, provide compact hardware for individual or low-volume digital signing, such as the YubiHSM 2 FIPS (up to 255 EC keys) and Nitrokey HSM 2 (up to 35 ECC keys), supporting algorithms like RSA and ECDSA for secure signature generation. These devices resist side-channel attacks—such as or electromagnetic leakage—through hardened implementations and role-based access controls, preventing key extraction even under physical tampering. A key advantage is their ability to maintain key integrity in compromised environments, as operations occur in isolated chips that self-destruct or erase sensitive data upon detected intrusion. In banking, EMV chips embedded in payment cards exemplify hardware protections by generating one-time digital signatures using on-chip private keys for transaction authentication, verified via the issuer's public key to ensure integrity and prevent counterfeiting. These chips, evaluated to high attack resistance levels by EMVCo-recognized labs, employ public key cryptography like RSA or ECC to create dynamic cryptograms per transaction, significantly reducing fraud compared to static magnetic stripe data. Over 2,300 cybersecurity certificates have been issued for such hardware, underscoring their role in securing global payment ecosystems.

Software and Procedural Best Practices

To enhance the security of digital signatures, users and organizations should restrict signing operations to trusted applications only, thereby preventing from intercepting or exploiting the process. targeting private keys has been documented in cases where compromised software environments enabled theft and misuse for signing malicious code, underscoring the need for verified software ecosystems. Implementing What You See Is What You Sign (WYSIWYS) protocols ensures that signers can visually confirm the exact content or hash being signed before , mitigating risks from hidden alterations or blind signing. This principle, formalized in early cryptographic research, addresses the gap between human-readable documents and the typically hashed for signatures. Effective is essential for maintaining digital signature , including regular of signing keys to limit exposure windows in case of compromise. mechanisms such as Certificate Revocation Lists (CRLs) or (OCSP) queries should be employed to promptly invalidate compromised keys, ensuring relying parties can verify signature validity in real-time. Best practices also recommend separating keys for signing and purposes, as using the same key pair for both can amplify risks if the private key is exposed. Digital signatures inherently do not provide , as the signed message remains readable to intermediaries unless additionally . To address this limitation, signatures should be combined with symmetric or asymmetric protocols for end-to-end protection of sensitive content. Access to private signing keys should incorporate (MFA) to add layers of verification beyond passwords, significantly reducing unauthorized access risks. Maintaining comprehensive audit logs of signature events, including timestamps, user identities, and document details, enables post-incident analysis and compliance verification. These procedural safeguards complement hardware protections by focusing on configurable software controls and user behaviors.

Technical Standards

The (CMS), standardized in RFC 5652, provides a flexible framework for enveloped digital signatures, enabling the signing and encryption of arbitrary data while supporting multiple recipients and signers through structures. This syntax, evolved from , facilitates secure messaging by encapsulating signed content with certificates and revocation information, ensuring interoperability in email and file signing applications. Complementing CMS, the standard, defined by Recommendation X.509 (2019 edition), specifies the format for public-key certificates used in digital signature verification, including fields for subject identity, public key, and validity periods to bind signatures to trusted entities. In the United States, the National Institute of Standards and Technology (NIST) outlines requirements for digital signature generation and verification in Federal Information Processing Standard (FIPS) 186-5, published in 2023, which approves algorithms such as the (DSA), (ECDSA), and Edwards-Curve Digital Signature Algorithm () while deprecating older variants due to limited adoption. This update emphasizes secure parameter sets and key sizes to resist current cryptographic threats, with ECDSA serving as a widely referenced example for efficient elliptic curve-based signing in standards-compliant systems. For the , the European Telecommunications Standards Institute (ETSI) provides comprehensive specifications under the Electronic Signatures and Infrastructures (ESI) series, such as ETSI EN 319 411-2 (V2.6.1, 2025), which details policy and security requirements for creation devices, ensuring compliance with regulation through standardized formats and validation processes. Standards such as those in FIPS 186-5 further advise separating signing keys from keys to mitigate risks of key compromise affecting multiple functions. For post-quantum resilience, NIST's 2024 standards FIPS 204 and FIPS 205 standardize module-lattice-based (ML-DSA) and stateless hash-based (SLH-DSA) digital signature algorithms, respectively, to facilitate migration from classical schemes vulnerable to quantum attacks while maintaining compatibility with existing infrastructures. To enhance interoperability in web services and XML-based protocols, the (W3C) defines XML Digital Signature (XML-DSig) in its 1.1 specification (2013), which outlines syntax and processing rules for signing XML documents or fragments, supporting detached signatures and to preserve integrity across diverse applications. In the United States, the Electronic Signatures in Global and National Commerce Act (ESIGN Act) of 2000 provides federal legal recognition to electronic signatures, granting them the same validity as handwritten signatures for most transactions, with its 25th anniversary observed in 2025. Complementing this, the (UETA), adopted by 47 states, the District of Columbia, and U.S. territories, with equivalent laws in the remaining states, ensures that electronic signatures and records are enforceable equivalents to wet-ink signatures across nearly all jurisdictions, provided parties consent and records are attributable to them. This framework supports in legal contexts by requiring demonstrable intent and integrity. In the , the eIDAS Regulation of 2014 establishes a harmonized framework for and trust services, recognizing three levels of electronic signatures—simple, advanced, and qualified—with qualified signatures offering the highest legal equivalence to handwritten ones across member states. Updates under eIDAS 2.0, which entered into force on May 20, 2024, enhance support for remote qualified electronic signatures through innovations like the European Digital Identity Wallet, facilitating secure cross-border digital transactions. Additionally, from April 1, 2024, the (EPO) accepts a broad range of digital signatures, including advanced and qualified electronic ones, on contracts and declarations for patent transfers and licenses, streamlining procedures. Globally, the UNCITRAL Model Law on Electronic Signatures (2001) has influenced legislation in 40 states and 42 jurisdictions as of 2025, promoting functional equivalence between electronic and handwritten signatures while allowing for technical reliability criteria. Variations exist in implementation; for instance, India's Information Technology Act of 2000 explicitly recognizes digital signatures using asymmetric cryptosystems and techniques as legally valid for under any . In 2025, emerging trends include the integration of AI for compliance in digital signing processes, such as automated in workflows, and increasing legal weight for blockchain-based signatures in (DeFi), where smart contracts leverage cryptographic verification for enforceable transactions in jurisdictions like the and select U.S. states. Despite these advances, challenges persist, as not all jurisdictions fully equate digital signatures to handwritten ones for sensitive documents like wills; for example, more than half of U.S. states have not enacted laws permitting electronic wills, requiring physical signatures and witnesses, while similar restrictions apply in many non-U.S. jurisdictions to ensure testamentary intent.

References

  1. https://csrc.nist.gov/glossary/term/digital_signature
  2. https://csrc.nist.gov/projects/digital-signatures
  3. https://doi.org/10.6028/NIST.FIPS.186-5
  4. https://ee.stanford.edu/~hellman/publications/24.pdf
  5. https://people.csail.mit.edu/rivest/Rsapaper.pdf
  6. https://csrc.nist.gov/pubs/fips/186-1/final
  7. https://csrc.nist.gov/pubs/fips/186-5/final
  8. https://csrc.nist.gov/pubs/fips/204/final
  9. https://www.cisa.gov/news-events/news/understanding-digital-signatures
  10. https://inst.eecs.berkeley.edu/~cs161/sp19/notes/Signatures.2.28.pdf
  11. https://www.cs.princeton.edu/courses/archive/fall19/cos487/NoteDigitalSignatures.pdf
  12. https://www.law.cornell.edu/uscode/text/15/chapter-96
  13. https://www.entrust.com/sites/default/files/documentation/whitepapers/importance-of-code-signing-wp.pdf
  14. https://csrc.nist.gov/projects/hash-functions
  15. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-107r1.pdf
  16. https://www.idmanagement.gov/university/pki/
  17. https://www.digicert.com/what-is-pki
  18. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.186-4.pdf
  19. https://dl.acm.org/doi/10.1145/359340.359342
  20. https://www-ee.stanford.edu/~hellman/publications/30.pdf
  21. https://www.cs.virginia.edu/~evans/greatworks/diffie.pdf
  22. https://www.notesmail.com/home.nsf/ls-NDHistory-pdf.pdf
  23. https://www.fi.muni.cz/usr/gruska/crypto13/crypto_07_2x2.pdf
  24. https://csrc.nist.gov/nist-cyber-history/cryptography/chapter
  25. https://www.openpgp.org/about/
  26. https://www.w3.org/PICS/DSig/X509_1_0.html
  27. https://www.keyfactor.com/blog/ssl-vs-tls-what-are-the-differences/
  28. https://le.utah.gov/xcode/Title46/Chapter3/46-3.html
  29. https://www.govinfo.gov/content/pkg/PLAW-106publ229/pdf/PLAW-106publ229.pdf
  30. https://www.ftc.gov/sites/default/files/documents/public_statements/prepared-statement-federal-trade-commission-esign/esign7.pdf
  31. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
  32. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-90ar1.pdf
  33. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r1.pdf
  34. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
  35. https://eprint.iacr.org/2020/823
  36. https://datatracker.ietf.org/doc/html/rfc8017
  37. https://fahrplan.events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf
  38. https://datatracker.ietf.org/doc/html/rfc8032
  39. https://lamport.azurewebsites.net/pubs/dig-sig.pdf
  40. https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf
  41. https://eprint.iacr.org/2019/1086
  42. https://csrc.nist.gov/pubs/fips/205/final
  43. https://sphincs.org/data/sphincs%2B-paper.pdf
  44. https://eprint.iacr.org/2022/214
  45. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
  46. https://www.nist.gov/news-events/news/2024/10/nist-announces-14-candidates-advance-second-round-additional-digital
  47. https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf
  48. https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
  49. https://blog.cloudflare.com/pq-2025/
  50. https://blog.cloudflare.com/post-quantum-future/
  51. https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode
  52. https://learn.microsoft.com/en-us/windows-hardware/drivers/install/digital-signatures
  53. https://learn.microsoft.com/en-us/exchange/security-and-compliance/smime-exo/smime-exo
  54. https://www.govinfo.gov/about/history
  55. https://csrc.nist.gov/glossary/term/non_repudiation
  56. https://www.swift.com/sites/default/files/documents/swift_qualified_certificates_certificate_policy.pdf
  57. https://www.ietf.org/rfc/rfc3161.txt
  58. https://doi.org/10.17487/RFC5280
  59. https://developer.bitcoin.org/devguide/transactions.html
  60. https://medium.com/mycrypto/the-magic-of-digital-signatures-on-ethereum-98fe184dc9c7
  61. https://dev.to/rounakbanik/tutorial-digital-signatures-nft-allowlists-eeb
  62. https://legittai.com/blog/technical-aspects-behind-nft-signatures
  63. https://www.tokenmetrics.com/blog/can-nfts-be-used-as-identity-credentials-future-digital-identity-2025
  64. https://www.ainvest.com/news/nfts-2025-reemerging-force-digital-asset-investment-2509/
  65. https://blaize.tech/blog/top-web3-trends-to-watch-in-2025/
  66. https://www.ledger.com/academy/enable-blind-signing-why-when-and-how-to-stay-safe
  67. https://www.transfi.com/blog/what-is-blind-signing-how-to-avoid-and-when-to-enable-blind-signing
  68. https://www.sciencedirect.com/science/article/pii/S2772918424000110
  69. https://www.ibm.com/think/topics/blockchain-for-anti-counterfeit
  70. https://www.nature.com/articles/s41599-025-05730-x
  71. https://coinlaw.io/nft-market-growth-statistics/
  72. https://cryptoslam.io/nftglobal
  73. https://www.entrust.com/products/hsm/nshield-solo
  74. https://cpl.thalesgroup.com/encryption/hardware-security-modules/network-hsms
  75. https://www.yubico.com/product/yubihsm-2-fips/
  76. https://www.nitrokey.com/products/nethsm
  77. https://utimaco.com/current-topics/blog/role-of-hsm-in-digital-signing
  78. https://www.emvco.com/wp-content/uploads/2025/05/EMVCo_Cybersecurity_QRG_MAY25_FINAL-TAGGED.pdf
  79. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01262018.pdf
  80. https://userlab.utk.edu/files/papers/kim/2017/kim2017certified.pdf
  81. https://link.springer.com/chapter/10.1007/978-0-387-35413-2_1
  82. https://dl.ifip.org/db/conf/cms/cms2005/LioyRAP05.pdf
  83. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r5.pdf
  84. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application
  85. https://datatracker.ietf.org/doc/html/rfc5652
  86. https://www.itu.int/itu-t/recommendations/rec.aspx?rec=X.509
  87. https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf
  88. https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.05.00_20/en_31941102v020500a.pdf
  89. https://www.w3.org/TR/xmldsig-core1/
  90. https://www.docusign.com/products/electronic-signature/learn/esign-act-ueta
  91. https://www.proof.com/blog/celebrating-25-years-of-the-esign-act-the-foundation-of-modern-digital-transactions
  92. https://signaturely.com/electronic-signature-laws-by-state/
  93. https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation
  94. https://www.agrello.io/post/eidas-2-0-the-future-of-eu-digital-identity-and-authentication-by-2030
  95. https://www.epo.org/en/news-events/news/transfers-and-licences-changes-1-april-2024
  96. https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_signatures/status
  97. https://sign.dropbox.com/esignature-legality/india
  98. https://www.docusign.com/en-gb/blog/2025-contract-management-trends-smart-contracts-ai-regulation-and-more
  99. https://conventuslaw.com/report/smart-contracts-when-code-becomes-law/
  100. https://www.bsk.com/uploads/Wills-in-the-Digital-Age-copy1.pdf
  101. https://www.macconilaw.com/blog/2025/08/are-digital-and-electronic-wills-valid-in-delaware/
Add your contribution
Related Hubs
User Avatar
No comments yet.