A MAC and a digital signature both verify message integrity. What property does a digital signature provide that a MAC cannot, and why does this matter for legal and financial applications?
Think about your answer, then reveal below.
Model answer: Digital signatures provide non-repudiation: only the holder of the private key can produce the signature, so the signer cannot later deny having signed. With a MAC, both parties share the same key, so either could have produced the tag — the receiver cannot prove to a third party that the sender specifically authored the message. Non-repudiation matters for contracts, financial transactions, and legal documents where accountability and proof of origin are required.
Non-repudiation transforms a two-party integrity check into a publicly verifiable proof of authorship. A judge, auditor, or any third party can verify the signature using the public key without accessing any secrets. This is why digital signatures are legally recognized in most jurisdictions as equivalent to handwritten signatures for electronic documents.
Question 2 Multiple Choice
Why do signature schemes sign the hash of the message rather than the message itself?
AHashing reduces the message to a fixed size, making the signature operation efficient regardless of message length. It also prevents algebraic attacks (like RSA's multiplicative homomorphism) that exploit structure in the raw message space
BHashing makes the signature longer, providing more security
CThe hash function encrypts the message, providing confidentiality alongside authentication
DSignature algorithms cannot operate on inputs larger than 256 bits
RSA and DSA operate on fixed-size inputs (the size of the modulus or group order). Hashing reduces any message to a fixed-size digest. More critically, hashing destroys algebraic structure. Without hashing, RSA signatures are multiplicatively homomorphic: s1 * s2 is a valid signature on m1 * m2. Hashing prevents this because H(m1 * m2) != H(m1) * H(m2). The hash function acts as a computational barrier between the message space and the algebraic domain where the signature is computed.
Question 3 True / False
ECDSA (Elliptic Curve DSA) requires a fresh random nonce k for each signature. If the same k is used to sign two different messages, the private key can be recovered.
TTrue
FFalse
Answer: True
This is not a theoretical concern — it destroyed real systems. In ECDSA, the signature component s = k^(-1)(H(m) + r*x) mod n, where x is the private key. With two signatures (s1, s2) using the same k, the attacker computes k from s1 - s2 = k^(-1)(H(m1) - H(m2)) and then recovers x. Sony's PlayStation 3 code signing was broken this way in 2010 (they used a constant k). Deterministic nonce generation (RFC 6979) eliminates this risk by deriving k from the private key and message.
Question 4 Multiple Choice
A certificate authority signs a website's public key, creating a certificate. If the CA's signing key is compromised, what is the scope of the damage?
AOnly the specific website whose certificate was most recently signed is affected
BEvery certificate ever signed by that CA becomes untrustworthy — the attacker can forge new certificates for any domain, enabling man-in-the-middle attacks against all sites that browsers trusted via that CA
CNo damage occurs because the website's private key is separate from the CA's key
DOnly future certificates are affected; existing certificates remain valid
The CA's signing key is the root of trust for all certificates it has issued. An attacker with the CA's private key can create valid-looking certificates for any domain — google.com, your bank, anything — that browsers will accept without warning. This enables MITM attacks on any HTTPS connection. This catastrophic failure mode is why CA private keys are stored in hardware security modules, why certificate transparency logs exist, and why key compromise requires revoking the CA and all its certificates. The DigiNotar breach (2011) demonstrated this: a compromised CA led to real attacks on Iranian users.
Question 5 True / False
RSA signatures and RSA encryption use the same mathematical operation (modular exponentiation) but with the roles of public and private keys swapped.
TTrue
FFalse
Answer: True
In RSA encryption, the sender uses the public key (exponent e) and the receiver uses the private key (exponent d) to decrypt. In RSA signatures, the signer uses the private key (exponent d) to sign and the verifier uses the public key (exponent e) to verify. Signing is 'encryption with the private key' and verification is 'decryption with the public key.' However, this symmetry is specific to RSA — other signature schemes (DSA, ECDSA, Ed25519) use entirely different mathematical structures for signing and verification.