Digital Signatures
A digital signature is a mathematical proof that a specific private key authorized a specific message — impossible to forge without the key, and verifiable by anyone with the public key.
Digital signatures are what make Bitcoin transactions trustless. When you send BTC, your wallet creates a signature that proves you authorized the transfer — without revealing your private key. Every transaction on every blockchain is authorized by a signature. Understanding them reveals both why the system is secure and exactly how it can fail.
The Intuition
When you sign a physical document, anyone who knows your handwriting can verify it — but a skilled forger can copy your signature. Digital signatures solve both problems simultaneously: they're mathematically impossible to forge without the private key, and anyone can verify them using only the public key.
A digital signature is a mathematical function of both your private key and the exact content of the message. Change one bit of the message — one character, one satoshi — and the signature is invalid. The message and the authorization are cryptographically bound.
See it concretely
Imagine a notary seal that's uniquely tied to both the document's exact contents and the notary's secret stamp. If anyone changes even one word after signing, the seal's pattern no longer matches the document.
And anyone can check the seal using a publicly published verification key — no need to ever see the notary's private stamp. That's ECDSA: the signature mathematically encodes both 'this private key authorized this' and 'this is the exact message that was authorized.' You can verify either claim independently, without trust in any intermediary.
Tempting — but wrong
The precise version
ECDSA (Elliptic Curve Digital Signature Algorithm) over secp256k1 (Bitcoin's curve):
To sign message m with private key k:
1. Compute z = hash(m), truncated to curve order n bits
2. Generate cryptographically random nonce r ∈ [1, n−1]
3. Compute curve point (x₁, y₁) = r·G
4. Compute s = r⁻¹(z + k·x₁) mod n
5. Signature: (x₁ mod n, s)
To verify with public key K = k·G:
Compute u₁ = s⁻¹·z mod n, u₂ = s⁻¹·x₁ mod n
Accept if (u₁·G + u₂·K).x ≡ x₁ mod n
Critical vulnerability: the nonce r must be unique and unpredictable per signature. Reusing r for two different messages exposes k algebraically — this is how the PS3 master signing key was extracted in 2010.
\sigma = \bigl(r,\ s\bigr) \text{ where } s = r^{-1}(z + k \cdot x_1) \bmod nCheck your understanding
Why must the ECDSA signing nonce be unique every time?
Click to reveal answer
What does a Bitcoin transaction signature actually prove?
Click to reveal answer
What is the difference between signing and encrypting with a private key?
Click to reveal answer
- I know what a digital signature proves (and what it doesn't — it's not encryption)
- I understand why nonce reuse in ECDSA is catastrophic
- I can trace how a Bitcoin transaction is authorized by signature
Sony's PlayStation 3 master signing key was extracted without breaking ECDSA's mathematics. How?