A digital signature does for electronic data what a handwritten signature and a tamper-evident seal do together for paper: it proves who created something and shows that nobody has altered it since. Unlike a scanned signature image, which anyone could copy and paste, a real digital signature is bound mathematically to both the signer and the exact content, so it cannot be lifted onto a different document or forged without the signer’s secret key. Digital signatures secure software downloads, the certificates behind HTTPS, and countless agreements. They also depend on hash functions, which is why our SHAttered research on breaking SHA-1 had direct consequences for signatures. This guide explains how they work, the role of hashing and key pairs, and why a hash collision is such a serious threat.
What a Digital Signature Proves
A digital signature delivers three assurances at once, and it is worth naming them because each answers a different question.
Authenticity confirms who created or approved the data. A valid signature could only have been produced by the holder of a specific private key, so it ties the data to that signer.
Integrity confirms the data has not changed since it was signed. If even a single bit is altered, the signature no longer verifies, and the change is exposed.
Non-repudiation means the signer cannot credibly deny having signed. Because only they hold the private key that produced the signature, they cannot later claim someone else did it.
A handwritten signature, by contrast, proves authorship only weakly and says nothing about whether the document was altered after signing. A digital signature binds identity and content together, which is what makes it far stronger than its paper namesake.
The Two Ingredients: Hashing and Asymmetric Keys
Digital signatures are built from two cryptographic tools working in combination. Understanding each separately makes the whole mechanism clear.
Asymmetric (Public-Key) Cryptography
Asymmetric cryptography uses a pair of mathematically linked keys: a private key, kept secret by the owner, and a public key, shared freely with anyone. The two are related so that operations done with one can be checked or undone with the other, yet you cannot derive the private key from the public key. For signatures, the roles are specific: the private key creates the signature, and the public key verifies it. This is the reverse of public-key encryption, where the public key encrypts and the private key decrypts, and it is the asymmetry that makes signing possible.
Hash Functions
A hash function takes data of any size and produces a short, fixed-length fingerprint called a digest. It is deterministic, so the same input always yields the same digest, and it has the avalanche property, so any change to the input produces a completely different output. Crucially, it is one-way and, when unbroken, collision resistant: nobody should be able to find two different inputs with the same digest. Our hash functions explainer covers these properties in full, and they are exactly what a signature relies on.
The reason signatures use a hash rather than signing the raw data is partly practical and partly fundamental. Asymmetric operations are slow and suited to small inputs, so signing a whole large document directly would be inefficient. Hashing first reduces any document, however large, to a small fixed-size digest that is quick to sign. Just as importantly, the digest stands in for the entire document, so signing it commits the signer to that exact content.
How Signing Works
Creating a digital signature is a two-step process that combines the tools above. Suppose you want to sign a document.
First, you compute the hash of the document, producing a fixed-length digest that uniquely fingerprints its contents. Second, you encrypt that digest with your private key. The encrypted digest is the digital signature, and you attach it to the document. That is the entire signing operation: hash the content, then sign the digest with the private key.
Because the signature was produced from the document’s hash, it is tied to that precise content. Change one character of the document and its hash changes, so the signature no longer corresponds. And because the signature was created with your private key, which only you hold, only you could have produced it. The two properties combine to bind your identity to that exact document.
How Verification Works
Anyone who receives the document, the signature, and your public key can check the signature without any secret of their own. Verification mirrors signing.
The verifier does two things in parallel. They take the signature and decrypt it using your public key, which recovers the original digest you signed. Separately, they compute the hash of the received document themselves. Then they compare the two digests. If the recovered digest and the freshly computed one match, the signature is valid: the document is genuinely from you and has not been altered. If they differ, something is wrong, either the document was changed or the signature does not belong to the claimed signer, and verification fails.
The logic is elegant. The public key confirms the signature came from the matching private key (authenticity), while the hash comparison confirms the content is unchanged (integrity). Neither check requires the verifier to know any secret, which is what lets signatures be verified by anyone, anywhere.
| Step | Signing (private key holder) | Verifying (anyone with public key) |
|---|---|---|
| 1 | Hash the document into a digest | Hash the received document into a digest |
| 2 | Encrypt the digest with the private key | Decrypt the signature with the public key |
| 3 | Attach the result as the signature | Compare the two digests |
| Result | A signature bound to signer and content | Match means valid; mismatch means tampered or forged |
Why a Hash Collision Threatens Signatures
This is where the SHAttered work connects directly to signatures, and it explains why a broken hash function is not just an academic curiosity.
Recall that a signature is really a signature on the document’s hash, not on the raw document. The system assumes that each document has, for all practical purposes, its own unique digest. Collision resistance is what guarantees that assumption: nobody should be able to find two different documents with the same hash. If that guarantee breaks, the entire security of the signature breaks with it.
Here is the attack. Suppose an attacker can find two documents with the same hash, one harmless and one malicious. They get you to sign the harmless one. Because the signature is computed from the hash, and both documents share that hash, your signature is simultaneously a valid signature on the malicious document. The attacker can now present the malicious document with your genuine signature attached, and verification will succeed, because the hashes match. You signed one thing; they can prove you signed another.
This is precisely the danger our SHAttered research demonstrated. By producing two different PDF files with the same SHA-1 hash, we showed that SHA-1’s collision resistance was broken in practice, which meant SHA-1 signatures could no longer be trusted. A signature is only as strong as the hash function beneath it. The moment that hash function falls to a collision attack, every signature relying on it is suspect. The wider cryptography hub tracks which hash functions remain safe for this purpose, with SHA-256 the current standard for signing.
Real-World Examples
Digital signatures are not abstract. Two everyday uses show how directly they depend on the hashing described above.
Digital Certificates and HTTPS
The certificates that secure HTTPS websites are digitally signed documents. A certificate authority hashes a certificate’s contents and signs that digest with its private key, vouching that a given public key belongs to a given domain. When your browser connects to a secure site, it verifies this signature using the authority’s public key, confirming the certificate is genuine and unaltered. Because that verification depends on a hash, weaknesses in older hash functions forced the industry to retire them from certificates, part of the same story behind SHAttered. Our guide to HTTPS and TLS covers how certificates fit into a secure connection.
Code Signing
Software publishers sign their applications and updates so your device can confirm the code really came from the stated developer and was not tampered with in transit. When you install signed software, the system hashes the program and checks the signature against the publisher’s public key. A valid signature means the installer is authentic and intact; a failed one warns you that the file may have been altered or corrupted. This is a frontline defense against malware disguised as legitimate software, and it too rests entirely on the integrity of the underlying hash function.
Frequently Asked Questions
How is a digital signature different from a scanned image of my signature?
A scanned signature is just a picture; anyone can copy it onto any document, and it proves nothing about whether the content changed. A digital signature is computed from the document’s hash using your private key, so it is bound to both your identity and that exact content. Alter the document and the signature fails to verify.
Which key signs and which key verifies?
The private key, held only by the signer, creates the signature. The public key, shared with anyone, verifies it. This is the reverse of public-key encryption, where the public key encrypts and the private key decrypts.
Why is a document hashed before it is signed?
Hashing reduces any document to a small, fixed-size digest, which is fast to sign and stands in for the full content. Asymmetric signing is slow on large data, so signing the digest is efficient, and because any change alters the hash, signing the digest still commits the signer to the exact document.
How does a hash collision let someone forge a signature?
If an attacker finds two documents with the same hash, a signature you make on one is automatically valid on the other, since the signature is really on the shared hash. They can then attach your genuine signature to a document you never approved. This is why a broken hash function, as we showed with SHA-1 in SHAttered, undermines signatures, and why secure hashes like SHA-256 matter.
