Video - Bitcoin - Digital Signatures

How is the verification actually made? How can we know that Alice actually has the correct private key and how can we tell when someone tries to forge it? It would be very interesting with a minimal example of what that mathematical relationship could look like, even if the example has none of the necessary security measures.

TRANSCRIPT

A digital signature is basically the mathematical mechanism for essentially combining a public sequence of numbers with a given digital message in it.  You can really think of a digital signature in many ways as the electronic analog of a physical signature.  So, in a physical signature you will typically affix, let's say, a sequence of characters representing your name or identity to a document.  Okay.  And this process effectively binds your identity to that document.  And more so by formulating the characters in your name and maybe some particularly unique or peculiar way that's unique to you.  The hope is that nobody will be able to forge your name on that document.

Now, in a digital signature scheme it turns out you can achieve these kinds of properties mathematically.  Now, some other more well-known digital signature schemes include things like the RSA Digital Signature Scheme which tends further (inaudible 00:00:56) scheme.  There's also a scheme known as DSS which is the Digital Signature Standard actually.  And actually, if you were to use a scheme like RSA or DSS, in my mind, that you're a lot harder to forge these digital signatures than it is to for handwritten signature.  So, this particular video, I'll try to describe the overall higher-level mechanics, if you will, of a digital signature scheme.  But I wouldn't actually go into or describe the underlying mathematical details of let's say a specific scheme like RSA or DSS at least not in this video.

So the way a digital signature scheme works, let's say you have a user and want to call her Alice.  And let's say, Alice wants to digitally sign a document.  In the scheme, in a digital signature scheme, Alice is going to first generate two keys and these two keys are known as the signing key, which is a private key so I'm going to use red to denote it.  And we'll abbreviate the signing key as SK.  And then Alice is also going to generate a separate key known as a verification key.  Now, the actual process of coming up with the signing key and a verification key kind of happens concurrently.  Alice will generate these two keys at the same time and they're going to have a mathematical relationship.  Okay, but the interesting thing is that you wanted to be the case that the verification key is public and signing key will be private but more so in a digital signature scheme it should be hard to come up with the verification key.  Or rather it should be hard to come up with a signing key rather if you only see the verification key.  Okay.

Now, let's consider what a digital signature on a message will entail.  So basically, if you have a message and let's call this message M and you wish to digitally sign that message.  What you are going to basically do is apply a mathematical transformation.  Alice is going to apply a mathematical transformation to the message M and her signing key SK.  Okay.  And the result of that transformation, the output of that transformation will be a special sequence of numbers that we call the signature on the message M.  Okay.  Now, the interesting thing here is that the signature basically is one that is derived from a combination of the message M, together with the signing key, the private sign of Alice and it's going to affectively produce a short, I give you a relatively short sequence of numbers as an output.  Okay.

And in particular digital signature schemes should be designed or they typically are designed so that only the person who possesses the signing key that private signing key is capable of generating this type of an output.  This type of signature S sub M on the message M.  Okay.  Now, the verification process is kind of analogous to the signing process but it involves the public verification key.  So, in the verification process, you actually have three different inputs.  So the first input would be the message that you want to verify the signature of.  You also need in addition to the message you need to get as input the signature on that message.  What is that S sub M look like.  And then finally the input, the final input to the verification scheme will be the public key.  The public verification key the belongs to Alice.  Okay.  And these three inputs are put in and there is a mathematical transformation, it's applied to these three inputs and basically with that mathematical transformation is trying to ascertain or check is that the signature that you see correspond to the message M is one that would have been produced by Alice's private signing key.  And this private signing key in turn corresponds to Alice's public verification key.

Now, what I think is really remarkable is that you can actually carry out this process with just the verification key that you don't actually need the signing key to validate digital signature, you don't even need inadvertently or indirectly.  You can do everything.  You can verify everything with knowledge of only the public verification key.  In the verification procedure, basically output's kind of a yes or no.  It tells you should I accept the signature or should I reject it.  Okay.  It's a basic validation procedure.  And so as you can see the process of signing effectively will bind this public verification key.  It binds the public verification key to Alice.  And Alice is the one who published this verification key and told the whole world, hey, this is my verification key in the system and only I will be able to sign messages that will be considered valid with respect to that verification key.  Okay.  And because the message is now being essentially bound to this public key and if you think of the public key as an identifier of sort, maybe an identifier for Alice.  Then you can think of digital signing as a process that basically binds an identity to an underlying message and that really gives us, in the mathematical sense it gives us the analog of a traditional handwritten signature.  Okay.

Now, I want to make two remarks and I think they are particularly relevant.  So first of all, you'll notice that the transformation that produces the actual digital signature itself, okay, this transformation right here that produces S sub M.  This transformation basically takes the message.  It takes the message as one of its inputs.  Okay.  And what that means is that the signature is dependent on the message if you change the message you'll get a different signature.  Now, in this sense a digital signature is actually different from a traditional handwritten signature, okay.  Your handwritten signature probably doesn't change, they are more or less stays the same regardless of what it is you're signing.  But your digital signature is very sensitive to what you're signing and it will vary depending on what you sign.  If you send a different message you'll get a different signature as an output.  Okay.

The second remark I want to make is that digital signatures are often associated with cryptographic hash function and I've already done a video on cryptographic hash function.  And in fact, I mentioned in that video and I'll reiterate here that the first cryptographic hash functions were actually designed specifically with digital signatures in mind as their killer application if you will.  So in particular what typically happens that before you actually sign an arbitrary message.  Let's say you have a huge message that you want to sign.  Before you sign this message, you're going to basically apply a cryptographic hash function to that message and you're going to get an output from that function, that cryptographic hash function you'll get a shorter output.  The digest of that cryptographic hash function.  And then what you do in a signing algorithm is rather than signing the original message you will first hash it and then sign the hash of the message, you'll sign the resulting digest instead of the original message.  Okay.

And this two-step paradigm of doing kind of hashing and signing really ends up simplifying the process of digital signing since you effectively are no longer dealing with an arbitrary length of input but instead you're working with a fixed length quantity.  Okay.  And this hash and sign part are actually a safe as long as it's hard to find two messages that map to the same output under the application of the hash function.  In other words, you can't come up with two messages that are different but whose output when the hash one can is applied to them are identical.  Okay.  In other words, the hash function as long as it's collision resistant, okay, will result in a secure signature scheme, put this hashing sign paradigm.  Okay.

Now, you can probably think about this for a moment but if you could find, let's say, two input messages that are distinct and that map to the same output under an application of the hash function that would in fact lead to some bizarre problems because a signature on the first message would then be identical to a signature on the second message since in both cases what you're doing is you're not signing the actual message you're signing the hash of the message.  So, if the hashes are identical you'll end up with the identical signature on two different messages and that could create problems like making it easy for maybe a particular message to be forged under this digital signature approaching that's obviously something you don't want.  You don't want someone to be able to come up with a signature on a different message as opposed to maybe the one that you initially intended to sign.  Okay.

Now, it is possible and I just want to make this this clear.  It's possible to describe the digital signatures with a lot more mathematical formalism but my hope with this video really was to give you a flavor, if you will, without drilling into all of the underlying nuances in mathematics.

Written by Zulfikar Ramzan on May 1, 2013.