Editing Digital signature (section)

==Method==
{{More citations needed|Method section|date=January 2022}}
One digital signature scheme (of many) is based on [[RSA (algorithm)|RSA]]. To create signature keys, generate an RSA key pair containing a modulus, ''N'', that is the product of two random secret distinct large primes, along with integers, ''e'' and ''d'', such that ''e''&nbsp;''d''&nbsp;[[Modular arithmetic|≡]]&nbsp;1&nbsp;(mod&nbsp;''φ''(''N'')), where ''φ'' is [[Euler's totient function]]. The signer's public key consists of ''N'' and ''e'', and the signer's secret key contains ''d''.

Used directly, this type of signature scheme is vulnerable to key-only existential forgery attack. To create a forgery, the attacker picks a random signature σ and uses the verification procedure to determine the message, ''m'', corresponding to that signature.<ref name="2Zzbo">"Modern Cryptography: Theory & Practice", Wenbo Mao, Prentice Hall Professional Technical Reference, New Jersey, 2004, pg. 308. {{ISBN|0-13-066943-1}}</ref> In practice, however, this type of signature is not used directly, but rather, the message to be signed is first [[cryptographic hash function|hashed]] to produce a short digest, that is then [[Padding (cryptography)#Public key cryptography|padded]] to larger width comparable to&nbsp;''N'', then signed with the reverse [[trapdoor function]].<ref name="Jwm4G">Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone. Fifth Printing (August 2001) page 445.</ref> This forgery attack, then, only produces the padded hash function output that corresponds to σ, but not a message that leads to that value, which does not lead to an attack. In the random oracle model, [[Full domain hash|hash-then-sign]] (an idealized version of that practice where hash and padding combined have close to ''N'' possible outputs), this form of signature is existentially unforgeable, even against a [[chosen-plaintext attack]].<ref name="lysythesis" />{{Clarify|reason=Please give a page number or theorem number.|date=September 2010}}<ref>{{cite conference
|last1=Bellare
|first1=Mihir
|author-link1=Mihir Bellare
|last2=Rogaway
|first2=Phillip
|author-link2=Phillip Rogaway
|title=The Exact Security of Digital Signatures—How to Sign with RSA and Rabin
|date=1996
|series=Lecture Notes in Computer Science
|volume=1070
|editor-last=Maurer
|editor-first=Ueli
|editor-link=Ueli Maurer (cryptographer)
|conference=Advances in Cryptology — EUROCRYPT '96
|book-title=International Conference on the Theory and Application of Cryptographic Techniques Saragossa, Spain, May 12–16, 1996 Proceedings
|conference-url=https://link.springer.com/book/10.1007/3-540-68339-9
|language=en
|location=Berlin, Heidelberg
|publisher=Springer
|pages=399–416
|doi=10.1007/3-540-68339-9_34
|doi-access=free
|isbn=978-3-540-68339-1
|issn=0302-9743
|eissn=1611-3349
}}</ref>

There are several reasons to sign such a hash (or message digest) instead of the whole document.

;For efficiency: The signature will be much shorter and thus save time since hashing is generally much faster than signing in practice.
;For compatibility: Messages are typically bit strings, but some signature schemes operate on other domains (such as, in the case of RSA, numbers modulo a composite number ''N''). A hash function can be used to convert an arbitrary input into the proper format.
;For integrity: Without the hash function, the text "to be signed" may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. However, the receiver of the signed blocks is not able to recognize if all the blocks are present and in the appropriate order.