## Digital Signature
Array of bytes that provide the following guarantees:
- **Authentication:** the message is from the claimed sender
- **Integrity:** message was not altered during transmission
- **Non-repudiation:** the sender cannot deny that they produced the signature

A digital sugnature is generated using a private key and verified using the corresponding public key. Usually, the message is first hashed (except for EdDSA) using some cryptographic hash function and then the signature is applied on the digest. This makes sense as we know algorithm like RSA can only hash limited volume of data.

### Digital Signature vs MAC
| Digital Signature                                       | MAC                                                                                   |
|---------------------------------------------------------|---------------------------------------------------------------------------------------|
| Produced with private key and verified with public key  | Same symmetric key used to both produce and verify                                    |
| Easy for multiple parties to verify                     | Challanging for multiple parties to verify since we need to distributekey to everyone |
| Provides non-repudiation                                | Does not provide non-repudiation                                                      |

## Algorithms
### RSA
In addition to encrypting data, RSA can also be used to generate and verify digital signature. It is the slowest algorithm to sign but fastest to verify. RSA also produces the largest signature (same size as the key). The process is similar to encrypting the hash using the private key and verifying involves decrypting the signature and matching the hash.

### DSA (Digital Signature Algorithm)
DSA uses keys of similar length as RSA (having same security characteristics) but produces signatures much shorter than RSA. Using key of length 512 bytes produces signature of length 70 or 71 bytes.

### ECDSA (Elliptic Curve Digital Signature Algorithm)
A variant of DSA that uses Elliptic Curve to create public private keypair. An elliptic curve is represented by expression $y^2 = x^3 + ax + b$  

<img src="images/elliptic_curve.png" />

To generate the keypair we need:
1. The curve equation, example $y^2 = x^3 - x + 1$
2. A prime number $p$ which represents the range of allowed numbers
3. Base point $G$ which is a starting point on the curve
4. Order $n$ representing total number of points that can be generated starting at $G$

To generate private key $d$, we just pick a secure random number between $[1, n-1]$  
To generate the public key, we do elliptic curve point multiplication $Q = d\times G$. $Q$ is also a point on the curve.

We have a trapdoor function here since it is easy to get $Q$ given $d$ and $G$, but finding $d$ given $Q$ and $G$ is practically impossible.

ECDSA's advantage over DSA is that it has a shorter key size for the same security level. The generated signature size is same as DSA.

### EdDSA

## OpenSSL
### Generating EC Key Pair
To generate elliptic curve keypair:
```bash
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp521r1 -out ec_keypair.pem
$ cat ec_keypair.pem
  -----BEGIN PRIVATE KEY-----
  MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIAy6eza5NzgBhzUbl8
  vRPpRJawgx5bQtIPjzZjdduUtA5CtXR/mfcXtdvmaCguzgSfabNoj6KmJBzJLgyr
  ...
  -----END PRIVATE KEY-----
```

We can analyse the keypair using:
```bash
$ openssl pkey -in ec_keypair.pem -noout -text
```
The output contains all information about the key such as:
- ASN1 OID: `prime256v1` which contains domain parameters (curve, $G$, $n$, $p$).  
  This is always fixed and standardised.
- priv: which is $d$
- pub: which is $Q$
  
To extract public key out of this:
```bash
$ openssl pkey -in ec_keypair.pem -pubout -out ec_public_key.pem
$ cat rsa_public_key.pem
  -----BEGIN PUBLIC KEY-----
  MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtJKZNGMiERpljx7Xi02P
  imT2DQ3A2hMK9f2hXvUdQE41u5jYC2RgmhlB1pY2dwBZlB2+LELOC/TYmILKfFhw
  ...
  -----END PUBLIC KEY-----
```
On inspecting the key, we would get only the public part and the domain parameters:
```bash
$ openssl pkey -pubin -in ec_public_key.pem -noout -text
```

### Producing and Verifying Signatures
Use the `pkeyutl` command. It can also produce the message digest so we don't have to separately run `dgst` command. To generate signature (DER ASN.1 format):
```bash
$ openssl pkeyutl -sign -digest sha3-512 -inkey ec_keypair.pem -in message.txt -rawin -out message.txt.signature
```
To verify:
```bash
$ openssl pkeyutl -verify -digest sha3-512 -pubin -inkey ec_public_key.pem -in message.txt -rawin -sigfile message.txt.signature
Signature Verified Successfully
```

## Java

In [None]:
// Generate EC keypair
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
kpg.initialize(new ECGenParameterSpec("secp256r1")); // aka P-256
KeyPair keyPair = kpg.generateKeyPair();

// Sign
byte[] data = Files.readAllBytes(new File("C:\\message.txt").toPath());
Signature signer = Signature.getInstance("SHA256withECDSA");
signer.initSign(keyPair.getPrivate());
signer.update(data);
byte[] signature = signer.sign(); // DER encoded

// Verify
Signature verifier = Signature.getInstance("SHA256withECDSA");
verifier.initVerify(keyPair.getPublic());
verifier.update(data);
boolean verified = verifier.verify(signature);