Digital Signature lets you verify that no one tampers with your data through a signature. It confirms the authenticity and the integrity of the signed data, but not its secrecy. It is asymmetric, meaning it uses a pair of keys (public key and private key).
Signatures have the following properties:
- Authenticity: It is impossible to create a signature for which
PublicKeyVerify.Verify(signature, message)validates, unless you have the private key.
- Asymmetric: Creating the signature uses a different key than verifying it. This lets you distribute the Public Key to verify signatures to parties that can't create signatures themselves.
If you don't need asymmetry, consider using the simpler and more efficient MAC instead.
The functionality of Digital Signature is represented in Tink as a pair of primitives:
- PublicKeySign for data signing
- PublicKeyVerify for signature verification
Choosing a key type
We recommend using ECDSA_P256 for most uses, but there are a variety of options. In general, the following holds true:
- ECDSA_P256 is the most popular and works just fine in most cases. We note however that ECDSA Signature are malleable.[^1]
- ED25519 creates deterministic signatures and provides better performance than ECDSA_P256.
- RSA_SSA_PKCS1_3072_SHA256_F4 creates deterministic signatures and provides the best verification performance (but signing is much slower than ECDSA_P256 or ED25519).
Minimal security guarantees
- Data to be signed can have arbitrary length
- 128-bit security level against adaptive chosen-message attacks for elliptic curve based schemes
- 112-bit security level against adaptive chosen-message attacks for RSA based schemes (allows 2048 bit keys)
Example use case
See I want to digitally sign data.
[^1] This means that it is possible for an attacker to create a different valid signature for an already signed message. While this is not a problem for most scenarios, in some cases programmers implicitly assume that valid signatures are unique, and this can lead to unexpected results.