A digital signature lets you verify that no one tampers with your data. It provides authenticity and integrity of the signed data, but not its secrecy. It is asymmetric, meaning it uses a pair of keys (public key and private key).
Signatures have the following properties:
- Authenticity: It is impossible to create a signature for which
PublicKeyVerify.Verify(signature, message)validates, unless you have the private key. - Asymmetric: Creating the signature uses a different key than verifying it. This lets you distribute the public key to verify signatures to parties that can't create signatures themselves.
If you don't need asymmetry, consider using the simpler and more efficient MAC instead.
The functionality of digital signatures is represented in Tink as a pair of primitives:
- PublicKeySign for signing data
- PublicKeyVerify for verifying the signature
Choose a key type
We recommend using ECDSA_P256 for most use cases, but there are a variety of options. In general, the following holds true:
- ECDSA_P256 is the most widely used option and a reasonable default. Note though that ECDSA signatures are malleable.
- ED25519 creates deterministic signatures and provides better performance than ECDSA_P256.
- RSA_SSA_PKCS1_3072_SHA256_F4 creates deterministic signatures and provides the best verification performance (but signing is much slower than ECDSA_P256 or ED25519).
Minimal security guarantees
- Data to be signed can have arbitrary length
- 128-bit security level against adaptive chosen-message attacks for elliptic curve based schemes
- 112-bit security level against adaptive chosen-message attacks for RSA based schemes (allows 2048-bit keys)
Example use case
See I want to digitally sign data.
Malleability
A signature scheme is malleable, if an attacker can create a different valid signature for an already signed message. While this is not a problem for most scenarios, in some cases programmers implicitly assume that valid signatures are unique, and this can lead to unexpected results.