Home/Blockchain/Digital Signatures/How Signatures Work

🔐 The Sign & Verify Process

Understand how cryptographic signatures prove ownership without revealing keys

Your Progress

0 / 5 completed

Introduction

How Signatures Work

Signature Algorithms

Blockchain Applications

Key Takeaways

←

Introduction

⚙️ How Digital Signatures Work

Digital signatures use a four-step process: hash the message, sign with private key, broadcast the signature, and verify with public key. Let's walk through each step.

🎮 Interactive: Step-by-Step Signature Process

Click through each step to see how a digital signature is created and verified

🔢

Step 1: Hash the Message

Convert the message into a fixed-size hash using SHA-256

Input:

Message: "Send 1 BTC to Alice"

↓

Output:

Hash: 3a7bd3e2f4c1a9b8...

Any message (1 byte or 1 GB) becomes a 256-bit hash. This ensures signatures are always the same size and signing is fast.

🎮 Interactive: Hash Function Demo

See how any message becomes a fixed-size hash (Step 1 of signing)

Input Message

🔐 The Math Behind ECDSA

Signing (Creating Signature)

1. Generate random k (nonce)

2. Calculate point R = k × G (on elliptic curve)

3. r = R.x (x-coordinate of R)

4. s = k⁻¹ × (hash + r × privateKey) mod n

→ Signature = (r, s)

Without the private key, you cannot compute s. The math is one-way.

Verification (Checking Signature)

1. Calculate u₁ = hash × s⁻¹ mod n

2. Calculate u₂ = r × s⁻¹ mod n

3. Calculate point P = u₁ × G + u₂ × PublicKey

4. Check if P.x == r

→ If equal: Valid ✅ | If not: Invalid ❌

Anyone with the public key can verify, but only the private key holder could have signed.

🛡️ Security Properties

🔒

Unforgeable

Without the private key, creating a valid signature is computationally impossible (2^128 operations to brute force).

🧬

Message-Specific

Each signature is unique to the message. You can't copy a signature from one transaction to another.

⚡

Fast Verification

Verifying a signature takes milliseconds on any device. This is why Bitcoin can validate thousands of transactions per block.

🔍

Publicly Verifiable

Anyone can verify signatures without permission. No central authority needed - pure math.

⚠️ Common Mistakes That Break Security

❌ Reusing the nonce (k)

If you use the same k for two signatures, attackers can calculate your private key! PlayStation 3 was hacked this way in 2010.

❌ Using weak random number generator

If k is predictable, your private key can be found. Always use cryptographically secure random generation.

❌ Signing without hashing first

Signing raw messages is vulnerable to attacks. Always hash the message with SHA-256 or similar first.

✅ What You've Learned

✓4-step process: Hash → Sign → Broadcast → Verify
✓ECDSA math uses elliptic curves to create signatures only the private key holder can generate
✓Verification is fast and publicly accessible - anyone can check validity
✓Security depends on proper random nonce generation and hashing