Digital signatures must verify 2 properties:
Only you can sign some data, while anyone can verify the fact that you signed it.
The signature must be specific to the data that it signs: if it isn't, anyone can just copy the signature you shared and apply it to different documents.
Digital signature schemes use a public key and a private key:
The private key is used to sign data
The public key is used to verify signed data
Digital signature schemes must guarantee that signed data is always correctly verified.
Unforgeable signature schemes¶
When is a signature scheme called unforgeable? Let's consider this game: There is an attacker who knows the public key and a challenger who knows the private key too.
- The attacker can pick a document and get the challenger to sign it.
- The challenger will sign that document and send the signed data to the attacker.
- The game can go on as for as much as the attacker wants (at least until a plausible amount of documents is signed)
Then the attacker tries to sign a message that the challenger has not already signed: if the forged message verifies correctly then the attacker wins, else the challenger wins.
So a signature scheme is unforgeable if, not matter what algorithm the attacker is using, he has only a slim chance to succeed.
- Public keys can be used as identities
- Signature schemes can be used to sign the last hash pointer in a blockchain, thus signing the whole blockchain.
Signature scheme used in Bitcoin¶
Bitcoin uses ECDSA. Note that a good randomness source is essential to avoid leaking your private key using your public key.