Why is hashing (digest) employed in digital signatures?

Question

A digital signature is the following process: - Use message - Hash it (giving digest), encrypt digest with private key. - Append encrypted digest to the message.

Why not just encrypt the message with private key?

I assume that then attacker could just change something, we would be able to decode, but we would get different message than the sent one. We also wouldn't be able to recognize that the message was changed.

Why not just encrypt the message and append the encrypted one to the original message?

I assume the message would be twice the size which is inconvenient for large messages. Also public-private keys have the restriction on message length, which would lead to the need of breaking message into parts.

Are my reasons correct? Something else that I missed?

Can you please limit your posts to a) one question that is b) within our site scope (which you can check by reading our [about] and [ask] pages) — Rory Alsop, Oct 28 '17 at 21:24
Why is this too broad. I asked a specific question with two counter examples and my assumptions for why are they not valid. — croraf, Oct 28 '17 at 21:41
https://security.stackexchange.com/questions/122051/what-is-the-difference-between-a-digital-signature-and-whole-message-encryption?rq=1 what about this — croraf, Oct 28 '17 at 21:45

A. Darwin · Accepted Answer · 2017-10-23T18:29:22.407

3

Why not just encrypt the message with private key?

As far as I know, it's just for efficiency. Encrypting with asymmetric algorithms is notoriously a time (and resource) consuming operation, particularly when the plaintext size is rather large (MB, even GB).

To avoid that, you just encrypt the hash, which has a much shorter length, and still guarantees that the signed file can't have been altered.

I assume that then attacker could just change something, we would be able to decode, but we would get different message than the sent one. We also wouldn't be able to recognize that the message was changed.

In general, yes, only cryptographic hashes (and related techniques such as message authentication codes) allow you to recognize that the message hasn't been changed. However, with most modern algorithms an attacker cannot easily modify the ciphertext E(m) to a value corresponding to another arbitrary message m'.

Why not just encrypt the message and append the encrypted one to the original message?

Do you mean m|E(m), i.e. plaintext concatenated with its ciphertext encrypted with the private key? If so, it's again mostly due to effiency reasons. As I have already said, encrypting a document asymmetrically is a computationally expensive operation. In addition, as you have correctly said, the size would be almost doubled.

edited Oct 23 '17 at 18:29

answered Oct 23 '17 at 18:10

A. Darwin

3,602
2
17
27

So computing hash is way faster then encryption? – croraf Oct 23 '17 at 18:11
Yes. More precisely, computing the hash and encrypt it is way faster than encrypting the entire file. – A. Darwin Oct 23 '17 at 18:13
Computing the hash, encrypting it and appending :). Do you agree with the attacking posiblitiy in 1.? – croraf Oct 23 '17 at 18:14
1

No. If attacker changes the document, the hash will change too. During validation both hashes (actual and inside signature) are compared. And if they differ, then the source was tampered. The only way to crack the signature is to create hash collision. Any hash algorithm is vulnerable to collissions, but for modern algorithms it is computationally expensive operation. – Crypt32 Oct 23 '17 at 21:11
In 1 we assume no hash used, just encrypting the message and send it that way. – croraf Oct 25 '17 at 11:32

Why is hashing (digest) employed in digital signatures?

1 Answers1