How does RSA signature verification work?

Question

I understand how the RSA algorithm works for encryption and decryption purposes but I don't get how signing is done.

Here's what I (think) I know and is common practice:

If I have a message that I want to sign, I don't sign the message itself but I create a hash of it and then sign that hash by using my private key.
The signature gets attached to the message and both are transferred to the recipient.
The recipient recalculates the hash of the message and then uses my public key to verify the signature he received.

Here are the questions:

Why is it common practice to create a hash of the message and sign that instead of signing the message directly?
The important part and this is where I really started scratching my head: How can the recipient verify that I own the private key if the public key seems to be enough to recreate the signature?

The private key is the only one that can generate a signature that can be verified by the corresponding public key. The question then becomes how you can trust the public key is the one that was generated for the private key. The answer for that is key management. The most common key management scheme used is PKI using X509 certificates. — Maarten Bodewes, Aug 21 '13 at 15:20
I am personally of the opinion that employing hashing in signing is a conceptual load for the user to understand the scheme that could have been spared. (He would have to understand something about hashing .) Hence I coded a signature scheme with RSA without using hashing. See Ex. 4 in s13.zetaboards.com/Crypto/topic/7234475/1/. — Mok-Kong Shen, Jul 28 '16 at 11:29
An Online tool for debug RSA Sign Verify https://8gwifi.org/rsasignverifyfunctions.jsp — anish, Oct 27 '18 at 09:31
This tutorial might help: https://medium.com/gitconnected/how-browsers-verify-digital-certificates-part-1-26ee57a6e712 — David Klempfner, Feb 26 '22 at 00:22

poncho · Accepted Answer · 2016-07-27T15:03:48.067

97

Why is it common practice to create a hash of the message and sign that instead of signing the message directly?

Well, the RSA operation can't handle messages longer than the modulus size. That means that if you have a 2048 bit RSA key, you would be unable to directly sign any messages longer than 256 bytes long (and even that would have problems, because of lack of padding).

In contrast, a cryptographical hash can take an arbitrarily long message, and 'compress' it into a short string, in such a way that we cannot find two messages that hash to the same value. Hence, signing the hash is just as good as signing the original message; without the length restrictions we would have if we didn't use a hash.

The important part and this is where I really started scratching my head: How can the recipient verify that I own the private key if the public key seems to be enough to recreate the signature?

What made you think that the public key is enough to recreate the signature? It is sufficient to verify a signature that you're given, but it is not sufficient to generate new ones (or so we hope; if that's not true, the signature scheme is broken).

If you're using RSA, the signature verification process is (effectively) checking whether:

$S^e = \operatorname{Pad}(\operatorname{Hash}(M))\pmod N$

Definitions: $S$ is the signature; $M$ is the message; $e$ and $N$ are the public exponent and modulus from the public key; $\pmod N$ means that equality is checked modulo $N$; $\operatorname{Pad}$ is the padding function; and $\operatorname{Hash}$ is the hashing function. Note I say "effectively" because sometimes the padding method is nondetermanistic; that makes this check slightly different, but not in a way that matters for this discussion.

Now, if we were trying to forge a signature for a message $M'$ (with only the public key), we could certainly compute $P' = \operatorname{Pad}(\operatorname{Hash}(M'))$; however, then we'd need to find a value $S'$ with:

$S'^e = P' \pmod N$

and, if $N$ is an RSA modulus, we don't know how to do that.

The holder of the private key can do this, because he has a value $d$ with the property that:

$(x^e)^d = x \pmod N$

for all $x$. That means that:

$(P')^d = (S'^e)^d = S' \pmod N$

is the signature.

Now, if we have only the public key, we don't know $d$; getting that value is equivalent to factoring $N$, and we can't do that. The holder of the private key knows $d$, because he knows the factorization of $N$.

edited Jul 27 '16 at 15:03

answered Aug 21 '13 at 12:07

poncho

147,019
11
229
360

Can you add an explanation how the signature is generated using the private key? Maybe then it becomes clearer to me why it doesn't work with the public key only. I don't understand the part "S′e=P (mod N)". If M == M', what is missing? – Krumelur Aug 21 '13 at 12:23
@poncho , you said that with a 2048 bit RSA key, we would be unable to directly sign any messages longer than 256 bytes long. Do you mean that there are no other solutions to sign a message longer than 256 bytes (e.g. 257 bytes) without first hashing it? In other words, do you mean that hashing is compulsory? – Pacerier Feb 11 '14 at 05:41
@Pacerier: well, one could devise methods for signing long messages that don't involve hashing, such as splitting up the message into small segments, tie each segment together with an identifier and a segment sequence number, and sign each individually. However, hashing works so much easier that no one ever considers an alternative. – poncho Feb 11 '14 at 13:06
Can't you simply find out $S'$ by calculating the e'th root of P'? $S' = sqr(Pad(Hash(M')) \ (\bmod\ N),e)$ – rubo77 Aug 15 '14 at 07:15
2

@rubo77: you could, if you knew the factorization of $N$. If you don't, well, that's a hard problem (and, in fact, is known as the RSA problem). – poncho Aug 15 '14 at 13:44
Why is is so hard to calculate something $mod N$? you just have to devide it and take the rest, that shouldnt be so hard, even if N is really big if i'm not wrong??? – rubo77 Aug 15 '14 at 20:38
2

@rubo77: it's not just computing the e'th root of P, and then taking that modulo N. Instead, you're trying to find the value X such that $X^e \bmod N = P$. – poncho Aug 16 '14 at 03:19
@poncho: And why is that not easy? with your variables it would be $X=pow(P\ mod\ N, 1/e)$ ( i don't know how to write the e'th root of something here, so I use pow) All variables on the right are known, so My first comment should be: "Can't you simply find out $S′$ by calculating the $e$'th root of $P'$?" $S′=pow( Pad(Hash(M′))\ mod\ N ,e)$ – rubo77 Aug 16 '14 at 06:12
3

Ah, I get ist: You should add in your explanation, that $(mod\ N)$ with the brackets around, means the "Primitive root modulo N". It does not mean: "modulo N", modulo or remainder operator which would be trivial to calculate). That's, what I didn't know so my first question "what should be so difficult?" came up – rubo77 Aug 16 '14 at 06:25
1

@rubo77: I have no idea what primitive roots have to do with RSA; for one, there are no primitive roots modulo $N$; that is, there is no value $g$ where $g^i \bmod N$ takes on all the values relatively prime to $N$ (assuming $N$ is the product of two distinct odd primes) – poncho Jul 27 '16 at 15:06
@poncho: What about changing $S^e=\operatorname{Pad}(\operatorname{Hash}(M))\pmod N$ to $0\le S<N;\text{ and }(S^e\bmod N)=\operatorname{Pad}(\operatorname{Hash}(M))$ (and similar changes)? The range check ensures that $S$ is unique (otherwise, $S+N$ would be an acceptable signature; a simple size check of $S$ does not reliably catches that), and the order of things matches actual practice. Also, we do not need to change $=$ to $\equiv$ or explain what $\pmod N$ is about. – fgrieu Jul 27 '16 at 15:23
1

@Krumelur The signature is the padded hash, encrypted with private key. "Verify signature" means to decrypt signature with public key, and check the padded hash matches. It doesn't mean to compute a new signature and check the two signatures are the same. – M.M Nov 17 '16 at 04:57
I doubt it is possible to "decrypt signature with public key". AFAIK, the you can use my public key to send an encrypted message to me which I can then decrypt using my private key, but not the other way round. @M.M – Krumelur Nov 18 '16 at 10:09
@Krumelur you can encrypt with any key and decrypt with the other. A signature is made by encrypting the padded hash with the private key. Then it is verified by decrypting with the public key. Successful decryption proves that the holder of the private key generated the signature. – M.M Nov 18 '16 at 22:20
That's simply wrong. If the public key was able to decrypt messages, it would render the whole system useless. – Krumelur Nov 19 '16 at 08:08
5

@Krumelur A message encrypted with your private key can only be decrypted with your public key (used for authentication) and a message encrypted with your public key can only be decrypted with your private key (used for encryption). – sdfqwerqaz1 Nov 24 '16 at 13:33

score 12 · Answer 2 · answered Feb 28 '17 at 06:06

The important part and this is where I really started scratching my head: How can the recipient verify that I own the private key if the public key seems to be enough to recreate the signature?

You can use public key to "encrypt" (or "decrypt" which is same in "textbook" RSA) the signature and get hashed message. If the hashed message equals hashed message, then you verified the message being correctly signed.

You cannot use public key and message to recreate a signature that can pass the above verification though.

P.S. For "textbook" RSA, I mean https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php

score 2 · Answer 3 · answered Jul 22 '20 at 06:36

How does RSA signature verification work?

In unencrypted communication between A and B RSA signatures (without utilizing hash functions) are simply the message $m$ encrypted with sender's private key $d$ (not $e$ as in usual encrypted communication): $c \equiv m^d \pmod n$ which enables the receiver to verify a message by 'decrypting' it with public key $e$ and comparing the result to unencrypted message: $m \equiv c^e \pmod n$.

This procedure is supposed to ensure integrity in communication as the receiver (if the message matches the 'decrypted' signature) can be sure the messages is valid as only the sender is capable of computing signatures 'decryptable' using encryption exponent $e$.

Why is it common practice to create a hash of the message and sign that instead of signing the message directly?

RSA signatures can be forged or spoofed in certain scenarios which is shown in the following demonstration:

A and B are communicating on an unencrypted channel and attacker E is able to capture their messages $m$. However, they send RSA-signatures $c$ along with every package and therefore forged messages sent by E will be filtered.
Assume A sends messages $m_1$ and $m_2$ with signatures $c_{1,2} \equiv m_{1,2}^d \pmod n$ and E captures them.
E is now capable of generating the valid signature for a message $m_x$ for which $m_x = m_1 \cdot m_2$ must be true. This is feasible without private key $d$ because signature $c_x$ of $m_x$ can be calculated by multiplying signatures of $m_1$ and $m_2$: $$m_1^dm_2^d \equiv (m_1 \cdot m_2)^d \equiv m_x^d \equiv c_x \pmod n$$. This is possible due to homomorphism of RSA / module: $$(m_1 \cdot m_2) \bmod n = ((m_1 \bmod n \cdot m_2 \bmod n) \bmod n)$$ Simply put homomorphism means $f(xy) = f(x) \cdot f(y)$.
Therefore E can send a message to B which will pass integrity and authenticity test possibly causing errors or leading to confusion. However, E is not able to change contents of $m_x$ as $m_x = c_x^e$ must remain true.

Concluding RSA encrypted messages as signatures can be insufficient depending on the scenario, thus hash functions are commonly used in digital signature generation and additionally @poncho's answer is of relevance too.

Wikipedia articles on homomorphic encryption and module homomorphism dive into detail of this aspect of RSA encryption:

https://en.wikipedia.org/wiki/Homomorphic_encryption

https://en.wikipedia.org/wiki/Module_homomorphism

How does RSA signature verification work?

3 Answers3

Linked