1

Digital Signatures use an asymmetric algorithm, meaning that if I want to apply a digital signature to a document I sign it with my own private key and send it to the recipient.

The recipient, thanks to the public key, can already verify that the message really comes from me: a man in the middle could have intercepted my message, decrypted it thanks to the public key, and forged it.

However, a man in the middle cannot re-encrypt the message since he lacks the private key. So when the message arrives to the recipient and the recipient tries to decrypt the content with the public key, the content would make no sense, because it was re-encrypted by the man in the middle with a key that doesn't match the public key owned by the recipient. So, decoding it with the public key verifies that the proper private key was used to sign the document, thereby verifying the signature's provenance. This method, according to my understanding, is already enough to prove the integrity of the message.

What I do not understand is why SHA256, for example, as a hashing algorithm on top of what is described above is needed.

I understand how SHA256 is used: I send content and its hashed version and the recipient recalculates the hash of the received content by using the same algorithm I used. If the two hashes match then the recipient verified the integrity of the message. But why is this needed if Digital Signatures, as in using Asynchronous Encryption, already prove the integrity?

UPDATE: I wrote my question totally wrong and when I wrote Asynchronous Encryption I meant Asymmetric Algorithm. There is no content encryption at all involved in this question but just the Asymmetric Algorithm, hence the public-private key pair.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Tarta
  • 129
  • 5

2 Answers2

10

Well, for one, signature algorithms really don't use "Asynchronous Encryption". What they do is use the private key to generate a signature that has some verifiable relationship (with the public key) to the message, but given the large variety of signature algorithms, any less vague description won't be universally true. With some algorithms, the relationship might look something like encryption (if you squint), however that's not really true.

However, that diatribe doesn't really address your question: why is a hash function involved. Well, the signature algorithms we have handle only messages of limited size; on the other hand, we might want to sign quite large messages. So, if we want to sign a gigabyte message, and our signature algorithm can sign only 100 byte messages, what can we do?

We could split up the message into 10 million pieces and sign each piece individually, however that is obviously silly.

What we do instead is hash our gigabyte message into (say) a 32 byte hash and pass that hash to the underlying signature algorithm; the hash is short, and so the signature algorithm can handle it. We believe that our hash algorithm is collision resistant, and so we don't believe that anyone can have a different message with the same hash (even if they got to pick the first message).

So, if we sign the hash, that's as good as signing the original message (and is far more practical than signing the original huge message)

poncho
  • 147,019
  • 11
  • 229
  • 360
  • Thanks for your answer! First of all, about your first point, I wrote my question totally wrong and when I wrote Asynchronous Encryption I meant Asymmetric Algorithm. I will update my question to avoid any confusion for any reader. I agree with you that there is no encryption at all when it comes to only and exclusively digital signing. – Tarta Nov 07 '23 at 14:11
  • 3
    Additionally, some signature systems (e.g. textbook RSA signature) make it trivial to produce (message, signature) pairs that verify against a given public key. They are vulnerable if adversaries can choose the message. Hashing and signing goes towards making the signature system EUF-CMA. Notice that may not be sufficient: textbook-RSA-sign-SHA-256 is insecure, because the hash is not wide enough. RSA-FDH uses the same principle with a wide hash, and is secure. – fgrieu Nov 07 '23 at 15:03
3

Why is SHA256 used as layer on top of Digital Signature

Hashing (could be any secure cryptographic hash) messages before the digital signature goes back to the early history of Digital signatures. The first secure digital signature scheme in history, due to Michael O. Rabin (1979).

$$s\cdot(s + b) \equiv H(m, u) \pmod n.$$ where the $(n,b)$ is a public key pair of integers, the signature is the pair $(s,u)$

Rabin used the hashing and randomization for two purposes;

  1. The signer changes $u$ until finds a quadratic residue.
  2. There is a security issue that the signer may reveal distinct square roots $s \neq s'$ of the common square that would be a catastrophic result to factor $n$

Well, Rabin did not mention that they might consider it too obvious to state;

  1. Compressing long messages and destroying any structure that could forge signatures ( try without hash and use integer perfect squares as messages to forge signatures)

Rabin's signature scheme is still an existential unforgeability under chosen-message attack (EUF-CMA) with large parameter sizes.

Well, Taher ElGamal did forget the importance of Hashing on their discrete-log-type signature scheme which has trivial forgeries.

Today, hashing the messages is part of the signatures, though the security considerations and proofs are deep!

kelalaka
  • 48,443
  • 11
  • 116
  • 196