If you've ever used Bitcoin to send a transaction, you've made a cryptographic signature before. I imagine when most people think of cryptography they think about hiding secrets in a way such that hopefully only a person with the correct key can recover the hidden information. A cryptographic signature does something nearly the opposite in that provides for some signed piece of data that only someone with the proper key could have signed it.
Despite protestations of various Agencies of corporate and government natures trying to simplify this digital signature business by posing easy solutions to the masses, a proper digital signature is a cryptographic one. Some 4 or 5 digit number mailed to a recipient for them to later enter into a website is a poor substitute for an actual digital signature. A digital signature of any importance must necessarily be a strong cryptographic signature. With that I will sort the various digital signature types as I understand their quality.
- RSA using long keys: This is the sort of signature people use with GPG when they use GPG the right way. The mathematics behind the algorithm date back to the 1970's and the NSA's efforts to muck up encryption standards in the process of their development.1 The right key length seems to increase over time, but keys at least 2048 bytes in length are probably secure at the present. Keys 4096 bytes in length or longer are probably secure in the present and some distance into the forseeable future. Just do it.
- Some ECDSA Schemes: These nearly always feature shorter key and signature lengths which can be useful in many cases. All of these schemes are dependent on the random selection of one or more values to be used at signing, and selecting these values in a predicable way means someone else can solve your private key and be you for all purposes in which you secure your identity with that signature. Even if you are Sony.2 RSA technologies has had to advise their customers not to use their own products over stupid design decisions like "At the time, elliptic curves were in vogue" so this stuff is hard to do right. Proceed with caution.
- Other Promising Schemes: Many of the "Quantum Resistant" stuff like Lamport falls into this category. Most of these either lack useful implementations in software that have been subjected to scrutiny, or scrutiny in general. Proceed with caution and maybe try coding some things.
- Fail: Broken algorithms including some ECDSA flavors. Other ECDSA flavors with suspected backdoors. Old broken algoriths, good algorithms with short key lengths, and laughably broken systems like mailed PIN numbers go here.
I've got more to write on this subject coming up including how to make and verify Bitcoin address signatures, and why Bitcoin address signatures are shittier than good GPG signatures using RSA.3
- earlier they merely attempted to muck up encryption standards by statute. [↩]
- I plan to write more on Bitcoin address signatures in the particular later [↩]
- This may be one, two, or more posts. It is hard to predict these things before you write them. [↩]