digital signature

A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.

A value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity. (See: data origin authentication service, data integrity service, signer. Compare: digitized signature, electronic signature.)

"Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient." [I7498-2]

Tutorial: A digital signature should have these properties:

• Be capable of being verified. (See: validate vs. verify.)
• Be bound to the signed data object in such a way that if the data is changed, then when an attempt is made to verify the signature, it will be seen as not authentic. (In some schemes, the signature is appended to the signed object as stated by definition 2, but in other it, schemes is not.)
• Uniquely identify a system entity as being the signer.
• Be under the signer's sole control, so that it cannot be created by any other entity.

To achieve these properties, the data object is first input to a hash function, and then the hash result is cryptographically transformed using a private key of the signer. The final resulting value is called the digital signature of the data object. The signature value is a protected checksum, because the properties of a cryptographic hash ensure that if the data object is changed, the digital signature will no longer match it. The digital signature is unforgeable because one cannot be certain of correctly creating or changing the signature without knowing the private key of the supposed signer.

Some digital signature schemes use an asymmetric encryption algorithm (e.g., "RSA") to transform the hash result. Thus, when Alice needs to sign a message to send to Bob, she can use her private key to encrypt the hash result. Bob receives both the message and the digital signature. Bob can use Alice's public key to decrypt the signature, and then compare the plaintext result to the hash result that he computes by hashing the message himself. If the values are equal, Bob accepts the message because he is certain that it is from Alice and has arrived unchanged. If the values are not equal, Bob rejects the message because either the message or the signature was altered in transit.

Other digital signature schemes (e.g., "DSS") transform the hash result with an algorithm (e.g., "DSA", "El Gamal") that cannot be directly used to encrypt data. Such a scheme creates a signature value from the hash and provides a way to verify the signature value, but does not provide a way to recover the hash result from the signature value. In some countries, such a scheme may improve exportability and avoid other legal constraints on usage. Alice sends the signature value to Bob along with both the message and its hash result. The algorithm enables Bob to use Alice's public

signature key and the signature value to verify the hash result he receives. Then, as before, he compares that hash result she sent to the one that he computes by hashing the message himself.