Digital Signature
advertisement
Pinsky/ Digital Signatures Digital Signatures: A Sign Of The Times L. Pinsky I. Introduction The increasingly ubiquitous presence of computers in our every day lives has reached the point where their use is presumed in most aspects of virtually every commercial transaction.1 Even in the non-commercial aspects of every day life, the computer's presence is generally taken for granted.2 Computers in their present form are a relatively recent incarnation.3 Computers were originally developed to perform complex mathematical calculations, to store and retrieve archival record data through the use of search engines, and to control immediately attached devices, such as those used in manufacturing and scientific experiments.4 The vast array of computer networks that are now in existence were largely unpredicted in the early days of computer use. They only became reasonable with the evolution of the technology well after the computer age had begun.5 This new technology allows one to Control the actions of a physically remote computer from a local computer, and further, with the ability of computers to communicate with each other in a seamless manner, the operational delineation of the borders of one's own machine has become somewhat arbitrary. That is, the technology has reached the 1 Larry Long and Nancy Long, COMPUTERS, 1-3 (3rd Ed.,1993) [Hereinafter Long & Long ]. Id . 3 Id. at 34-40, outlining the history of computing and pointing out that the first modern electronic digital computer was invented by Dr. John V. Atanasoff in 1939. The courts have also recognized Dr. Atanasoff. See Honeywell Inc. v. Sperry Rand Corp.,1973 WL 903 (D.Minn.), and Iowa State University State Research Foundation, Inc. v. Honeywell, Inc., v. Sperry Rand Corp., 459 F.2d 447 (8th Cir. 1972). 4 Id . Long and Long at 10-11, 18. 5 Id . at 200. 2 -1- Pinsky/ Digital Signatures point where the existence of network operating systems allows the blurring of the hardware into "virtual machines", a continually variable collection of components located worldwide, which appear to the user as if they were simple local intimate components of the hardware at her fingertips.6 This computer-to-computer communication capability has raised the legal issue of authenticity of documents which are entirely generated, transmitted, and received, within the electronic realm, where no other tangible form of the documents ever exists. This paper will address digital signatures ,7 one of the techniques developed to deal with the authenticity of the source and content of documents transmitted electronically between computers, and the at the same time, with the legal requirement for signatures and signed writings. It should be pointed out that the law has faced a similar issue in the past. The advent of the telegraph, and its wide use in commerce presented many of the same questions that purely electronic transactions do.8 However, the inclusion of the commercial telegraph operator as a potential trusted third party intermediary, breaks the symmetry sufficiently to prevent a simple transference of the principles.9 Part II presents an overview of the actual technique itself, and with its first full fledged statutory implementation in Utah. Utah is the only state so far to enact the legislation necessary to provide the legal infrastructure to allow digital signatures to legally authenticate documents. There is no reported case law at the present time, thus all of the all of the discussion is necessarily anticipatory at this stage. Part III discusses the need for and potential applications of digital signatures including the abilities to provide both factual authentication and legal Id . at 265-66. 7 See generally Alan Asay, Introduction to the Law and Technology of Digital Signatures , excerpted from DIGITAL SIGNATURE GUIDELINES, (ABA Section of Science and Technology, 1995) [Hereinafter ABA-DSG referring to the actual guidelines themselves]. 8 See John R. Thomas, Legal Responses to Commercial Transactions Employing Novel Communications Media , 90 Mich. L. Rev. 1145, 1150-52 (1992) [Hereinafter Thomas ], reviewing the law's adaptation to the use of telegraphy in commercial transactions. 9 Id . at 1152. 6 -2- Pinsky/ Digital Signatures commitment. Part IV follows with a brief consideration of some of the potential problems that must be dealt with if their use is to become widespread, with an assessment of the costs involved, and finally, Part V considers the alternatives to the use of the proposed digital signature scheme. II. What are digital signatures A. What do they do? The term digital signature generally applies to the technique of appending a string of characters to an electronic message that serves to identify the sender (the authentication function).10 Some digital signature techniques also serve to provide a check against any alteration of the text of the message after the digital signature was appended (the seal function). Early concerns in computer science were focused on the problem of the recipient being able to insure that the message received was genuine and unaltered. However, there was no reason to consider the potential legal problem of also being required to prove at a later time that the intended recipient did not himself alter the message for use as bogus evidence. This later capability (the integrity function) is clearly of great interest in the case where legal documents are to be created with the use of such digital signatures. Finally, there is the aspect of privacy (the confidentiality function) that is of significance in many instances where the sender wishes to keep the contents of the message secret from all but the intended recipient. The technique that has increasingly become the standard11 is one based on a Public Key Encryption [Hereinafter PKE] scheme.12 The PKE technique is based on an asymmetric pair of See R. L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems , 21:2 COMMUNICATIONS OF THE ACM [Ass'n. for Computing Machinery] 120, 121 (1978) [Hereinafter Rivest, et. al. ] describing the various functions that digital signatures can accomplish. 11 See A Proposed Federal Information Processing Standard [Hereinafter FIPS] for Digital Signature Standard [Hereinafter DSS], National Institute of Standards and Technology 10 -3- Pinsky/ Digital Signatures mutually inverse mathematical operations. The essential idea is that when a particular mathematical operation has a generally simple computation algorithm but simultaneously has a much more complex inverse process, by taking the number of digits involved up into the 100's, one can know both the process and the result, but still not be able to work backwards to the initial state.13 This property, as will be described in section B, infra , allows the construction of a PKE scheme whereby the author can encode his message with a Private-Key14, and then transmit [Hereinafter NIST], 56 FED. REG. 42980-2 (1991), proposing the adoption of a specific PublicKey based digital signature algorithm [Hereinafter DSA]. 12 This technique was first proposed by Whitfield Diffie and Martin Hellman, New Directions in Cryptography , 22:6 IEEE TRANSACTIONS ON INFORMATION THEORY 644 (1976) [Hereinafter Diffie & Hellman ], suggesting the use of the asymmetry in calculating logarithms compared with the inverse process of exponentiation as a basis for a PKE technique for one-way authentication. See also , Rivest et. al., supra note 10, providing an elegant formulation and proof of the suggestions of Diffie & Hellman, supra , and introducing the concept of a reversible public-key cryptosystem, adding the possibility of privacy to authentication, and T. ElGamal, A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms , 31:4 IEEE TRANSACTIONS ON INFORMATION THEORY 469 (1985) [Hereinafter ElGamal] refining the Diffie & Hellman technique for an irreversible PKE system. More recent treatises include: Zella Ruthberg and Hal Tipton, eds., The Handbook of Information Security Management (1993), collecting a series of articles on all aspects of information security including digital signature authentication techniques; and as references for the actual algorithms W. Ford, COMPUTER COMMUNICATIONS SECURITY PRINCIPALS, STANDARD PROTOCOLS & TECHNIQUES, (1994) [Hereinafter Ford ]; and M.Baum, FEDERAL CERTIFICATION AUTHORITY LIABILITY AND PRODUCT LAW: LAW POLICY OF CERTIFICATE-BASED PUBLIC KEY AND DIGITAL SIGNATURES (1994) [Hereinafter Baum ]. See also , Mitchell, Piper & Wild, Digital Signatures in CONTEMPORARY CRYPTOLOGY: THE SCIENCE OF INFORMATION INTEGRITY 325, 341-46 (Simmons, ed. 1991) [Hereinafter Mitchell, et. al. ], discussing generally the desirable features of digital signatures, and Dennis Longley, Ed Dawson and William Caelli, Applications and Theory of Cryptography in INFORMATION SECURITY HANDBOOK 317-454 (Caelli, Longley, & Shain, eds. 1991) [Hereinafter Longley, et. al. ]. 13 Id . Diffie & Hellman at 647-48. 14 Simply a suitably chosen number as described in Part II (A) infra . -4- Pinsky/ Digital Signatures the encoded message publicly along with a separate corresponding Public-Key,15 which must be externally attributable to the author. Then, with the encrypted message and only the Public-Key, the message can be decoded. The contents of the message are then verified as to content, and to the extent that the Public-Key is attributable to the author, the source is authenticated as well. Note that in this mode of operation, the authentication, seal, and integrity functions are satisfied, but the contents of the message are not confidential. Any person with access to the encrypted message and only the Public-Key may successfully decode the message. The salient feature, however, is that even with that information, no receiving party can reasonably calculate the form of the Private-Key. Thus, additional messages cannot be forged. It is worth emphasizing again that the entire authentication of the identity of the author, rests on the certainty with which one is able to associate the Public-Key with a particular author. There are two other somewhat less problematic assumptions that must also hold The Private-Key, of course, must be kept secure, and the more complex side of the asymmetric mathematical inverse operation must not yield to a simple algorithm. It is possible to use the PKE method to send encrypted messages that do satisfy the confidentiality function as well as the authentication, seal, and integrity functions.16 To do that however, both parties must employ the technique and the demands on the PKE algorithm are more stringent. The first party sends a second public key as part of his initial message, which the second party then uses to encrypt the return private message. That message must also be "signed" by the second party using his own set of keys to authenticate that message. To allow this privacy technique, the mathematical properties of the encoding and decoding operations must be successive permutations of the same general process.17 application of private and public keys must be permutable. 15 16 17 Id . The Public-Key and Private-Key are a particular related pair. See Rivest, et. al., supra note 10 at 121. Id . -5- That is, the sequence of Pinsky/ Digital Signatures The use of PKE was first introduced by Whitfield Diffie and Martin Hellman in 1976.18 Their algorithm was of the irreversible type which cannot be used for messages requiring confidentiality because it is not permutable.19 ElGamal offered an improved version of the Diffie and Hellman scheme in 1985, and that method has become the basis for the Digital Signature Standard [hereinafter DSS ] presently proposed by the National Institute of Standards and Technology [hereinafter NIST ], (formerly the National Bureau of Standards).20 In 1978 Rivest, Shamir, and Adleman [hereinafter RSA] introduced a permutable PKE scheme which is thus reversible and as such can be used for both the authentication and privacy functions as described above.21 At present, the DSS and RSA schemes are in competition, and will likely remain so for some time to come.22 B. How do they work? 1) Computers, Numbers, and Prime Numbers Digital Computers use binary number arithmetic at their most fundamental level of operation. This is basically because the elementary electronic circuitry used to represent and remember the numbers is by its nature 2-state. One state is used to represent the digit zero, and the other represents the digit 1. Each place in a binary number is referred to as a “bit”. Because 10 is not an integer power of 2, computers must convert decimal numbers into binary and vice Diffie & Hellman, supra note 12. 19 See Ford supra note 12 at 71-73. 20 See 56 FED. REG. 42980-2 (1991), supra note 12, and ElGamal supra note 12. Note that the ElGamal scheme included a mechanism to allow confidentiality, that aspect has not been incorporated into the DSS (Ford, supra note 12 at 75). 21 Rivest, et. al., supra note 12 at 121. 22 Ford note 12 supra at 83. 18 -6- Pinsky/ Digital Signatures versa when decimal representations are needed to communicate with humans. The transformations between decimal and binary are somewhat involved and thus present a slight impediment to efficiency. However, binary numbers may easily be represented in any number base that is an integer power of 2. Octal (base-8) and Hexadecimal (base-16) are the two most common representations encountered. Digital signatures as appended to messages typically employ hexadecimal representations for the body of the signature, which as will be described shortly, is essentially just a number. Briefly, to represent a number in hexadecimal, one requires 16 digits instead of the usual 10 employed in the decimal system. The digits 0 through 9 are used with their normal meaning and the letters A through F are added to the end to represent the digits whose decimal values are 10 through 15. So A represents the value 1010 (i.e. Where the subscript “10” implies the decimal interpretation of the digits value), B represents 1110, etc. with F being 1510. Thus in hexadecimal the digits 1016 represent the value 1610, 1F is 3110, and FF is 25510. Typically, the subscript “16“ is not used when the digits include letters. An alternate way to indicate hexadecimal numbers is to place the letter “H” in front of the number (e.g. HFF = FF16 ). Each hexadecimal digit represents a sequence of exactly 4 binary bits. Computer memory is typically divided into 8-bit segments called bytes. Thus each byte can be exactly represented by a 2-digit hexadecimal number, which is one reason for the popularity of hexadecimal representations among computer scientists. It is important to remember, however, that the fundamental properties of numbers are independent of their representation. That is, for example, the number 1710 is a prime number regardless of whether it is written in binary (100012), in octal (218), or in hexadecimal (1116), and the actual value which results from all numerical computations such as addition, subtraction, multiplication, and division are independent of representation of the numbers. Since all numbers in the computer are integers, special techniques have to be employed to represent fractions and real numbers. Those need not concern us, because all of the techniques -7- Pinsky/ Digital Signatures employed in the digital signature algorithms deal exclusively with the numbers as integers. Therefore, in the discussion that follows, all numbers will be treated as integers. In fact, the most common representation of textual characters, ASCII (pronounced ass-key two), uses a single byte for each character. For example, in the ASCII scheme the character “A” is 4116 (6510), the character “a” is 6116 (9710), and the “space” character is 2016 (3210). A total of 256 characters are possible. This is the default for each typical computer font used by word processors as well. Thus any string of text characters is already represented internally as a string of numerical digits, and can be manipulated directly as if they were numbers. The PKE scheme simply takes a text message and treats it as if it were such a number. In the following discussion, then, the “message” will simply be represented as a number consisting of a sequential string of hexadecimal digits. 2) Prime Numbers, Logarithms, and Some Basic Number Theory Prime numbers have fascinated mathematicians since the recorded beginnings of philosophy.23 Prime numbers are simply numbers (integers) that are not evenly divisible by any number but themselves and one. That is whenever they are divided by any smaller integer (except of course the integer 1), there is always a remainder. Numbers that are not prime are called composite because they can be represented by a unique combination of the product of primes (which are called the prime factors of that composite number).24 Euclid gave an elegant proof that the number of primes is infinite.25 This defies the naive impression that as one gets to See generally Tom Apostol, INTRODUCTION TO ANALYTIC NUMBER THEORY 1-12 (1976) [Hereinafter Apostol ]. 24 Id . at 16. 25 Id . at 16-17. Suppose that there are only a finite number of primes: p , p ,...,p . Let N = 1 2 n 1+p1p2...pn. It can be easily shown that if a number is not prime then it can be represented as the unique product of a combination of primes. Since N is > pn it cannot be prime given our assumption. Since none of the pi's divides evenly into N, the assumption must be false and it 23 -8- Pinsky/ Digital Signatures bigger and bigger numbers, the increasing availability of smaller candidate divisors must surely tend towards providing at least one that will evenly divide the number in question. In fact the frequency of primes does thin out. In the limit as one goes to very large numbers, the total number of primes less than some value, x, approaches x/log x.26 There is no known general formula which will discover all primes below some specified value,27 but there are many famous formulae for generating various sequences of primes.28 There is however no general way to find the ones that have been missed in between those that are generated by the various formulae.29 The gaps between primes are also erratic. All primes > 2 are necessarily odd numbers, and it appears as though there may be an infinite number of "twin primes" (adjacent odd numbers such as 101 & 103), but at the same time, there are long stretches with no primes (e.g. the prime number 370,261 is followed by 111 consecutive composite numbers).30 It is known that arbitrarily large gaps between successive primes must eventually occur as the size of the numbers increase.31 These properties of primes are important for the asymmetry property of most of the PKE techniques. It is especially important to note that there is no efficient algorithm to factor a large composite number into its prime factors.32 must be prime, because it cannot be represented as the product of primes. Thus, the number of primes must be infinite. 26 Id . at 8. 27 Id . at 6. Id . at 6-12. See also Rivest, et. al., supra note 10, describing an efficient algorithm for finding random large (> 200 digit) prime numbers. 29 Id . at 6. 30 Id . 31 Id . 32 See e.g. Rivest, et. al., supra note 10 at 125-26, pointing out that the most efficient known factoring routine would require over 1023 operations for a 200 digit number, and Longley et. al. supra note 12 at 428, evaluating the allied problem of finding discrete logarithms. 28 -9- Pinsky/ Digital Signatures Composite numbers can be relative primes to other numbers if the greatest common divisor is 1.33 That is they share no common prime factors. For example, 21 is relatively prime to 55, but 15 is not relatively prime to either. 21 has prime factors 3 and 7, whereas 55 has prime factors 5 and 11, and none are shared. On the other hand 15 has prime factors 3 and 5, sharing the 3 with 21, and the 5 with 55, making it not relatively prime to either. Notice that 15 does not evenly divide either 21 or 55. That property is in fact necessary for relative primes, but as we see here, it is not sufficient to establish that two numbers are relative primes. The final concept that must be mentioned is modular arithmetic. With modular arithmetic, the modulus simply specifies the total size of the applicable cyclic number field.34 That is when counting in modular arithmetic, one counts from 0 up to the modulus minus one, then recycles to 0 again. Thus counting modulo 5 for example, would look like: 0, 1, 2, 3, 4, 0, 1, 2, 3, 4, 0, 1, etc. So, the number 6 modulo 5 (which is written 6 (mod 5) ) means counting to 6 up from 0 (with the recycle at 4) yielding: 0, 1, 2, 3, 4, 0, 1. It follows then that the number 6 (mod 5) = 1.35 It is equivalent to say that to find the value of 6 (mod 5), one divides the modulus (5 in this case) into the number (6 in this case, which may be termed the dividend) and See generally Apostol ,supra note 21 at 14-21. 34 See e.g. Longley, supra note 12 at 439-42. 35 An alternative way to view modular arithmetic is related to the concept of the congruence of a number with respect to a particular divisor or modulus . (See generally H. Davenport, THE HIGHER ARITHMETIC 41-50 (1992) ). When a number is referred to modulo some other number, what is meant is that the number in question (the dividend) is divided by the modulus and the 33 remainder is the object of interest. For example this would be written as: 2 = 10 (mod 4), which states that the remainder is 2 after the number in question (10 in this case) is divided by the modulus (4 in this case). When the remainder is 0, the numbers are said to be congruent. Still another way to view the statement is to say that the difference between the two numbers is evenly divisible by the modulus, or more to the point for digital signatures, a modulus of any 2 numbers is a number that when it divides them each in turn will give the same remainder. That is 10 minus 2 is evenly divisible by 4, and both 10 and 2 when divided by 4 leave similar remainders of 2. The mathematical schemes used in digital signatures use these concepts. - 10 - Pinsky/ Digital Signatures the value sought is the remainder resulting from the division. Here, we are particularly un interested in the integer value of the quotient, and only concerned with the remainder. (5 divides 6 one time with a remainder of 1, so again we have 6 (mod 5) = 1). As a final note, observe that the size of the resulting remainder is never equal to or greater than the modulus, regardless of the size of the dividend to which it is applied. This is clear from the cyclic counting view of modular arithmetic. 3) The RSA Scheme The discussion here will be presented without proof. The interested reader is directed to the original paper of Rivest, et. al.36 (A simple numerical example is included in Appendix A). The basic operation behind the RSA scheme is the use of a key (a specially chosen number) as an exponent to be applied to the number, which represents the message (recall that all numbers referred to here are discrete integers). The message in its initial (numerical) state is termed the plaintext . The number resulting from the enciphering is called the ciphertext .37 The ciphertext number in the RSA method is the remainder modulo some other number (which is also needed as part of the key). This can be written as: C = M e ( mod N ); (1) where M is the plaintext message number and C is the resulting ciphertext form of that message. The numbers e and N taken together are the private key. There exists another number, d, which has the property that: Rivest , et. al., supra note 10. 37 Id . at 120. Note that the terms encipher and decipher are preferred to encrypt and decrypt because of the confusion in translation into many other languages of the words encrypt and decrypt as being related to the burying in the ground and the subsequent act of digging it up (Ford supra note 12 at 65). 36 - 11 - Pinsky/ Digital Signatures M = C d ( mod N ). (2) The number d along with N is the public key that can be used to decipher the ciphertext C, to recreate the original plaintext message, M. Recall that the " ( mod N ) " means that the dividend ( M e in equation 1, and C d in equation 2) is divided by N and the result is the remainder after that division. Were we not to take these modulated values, there would be a trivial inverse property: M = (Me)d; (3) by simply substituting equation 2 into equation 1. However in order for the inverse to hold: M = ( M e ) d ( mod N ); (4) e and d must be specially selected with respect to N. Further, for the confidentiality function to be implementable, the process must be permutable. That is e and d may be applied in either order: M = ( M e ) d ( mod N ) = ( M d ) e ( mod N ). (5) Rivest, et. al., showed that this is satisfied if the following conditions are met:38 38 Id . at 123. - 12 - a) N = p * q (where p and q are prime); b) d is relatively prime to = ( p - 1) * ( q - 1 );39 and (6) (7) Pinsky/ Digital Signatures c) e * d = 1 ( mod ( p - 1 ) * ( q - 1 ) ). (8) They further demonstrated that one can easily proceed to construct these numbers by first choosing two large primes, p and q, to determine N.40 The number of digits in N needs to be large enough to defeat attempts by persons seeking to find the private keys by factoring N. Recall that N itself will be disclosed along with e as part of the public key. Also, since the plaintext and ciphertext will be limited to a length less than N, a large enough value must be chosen to reduce the number of segments into which the total message to be encrypted must be broken. next, d is easily selected as it need only be relatively prime to (p-1) times (q-1). Finally, the expression given by equation 8 can be used to find the corresponding value of e using a fairly simple algorithm.41 Then to use the RSA scheme, one proceeds to choose suitable values for p, q, and d, calculating the appropriate value of e from them. p, q, and e must be kept secret. However, N (which is simply p*q ) and d are published together as the public key. Should an "attacker" attempt to find e from N and d, she would have 2 straight forward methods. First she could exhaustively try to find the value by trial and error. (i.e. Find the value of e which made equation 5 true for the known d and N). This is the least practical approach.42 The other option is to factor N to find p and q. Were that to succeed, then the attacker could reproduce the original calculation which the author used to find e in the first place. Thus, the method relies on the great is known as the Euler totient function (of N in this case), which is defined as the number of even numbers less than N that are relatively prime to N. See Apostol, supra note 23 at 25. 40 Id , at 123-24, noting that several algorithms exist for quickly finding primes with hundreds of digits. 41 Id . at 123. 42 Id . at 125. 39 - 13 - Pinsky/ Digital Signatures difficulty that the problem of factoring large numbers which are the product of 2 primes presents. So long as this problem does not yield to a simple rapid algorithm, the attacker is foiled.43 4) The DSS Scheme The DSS scheme introduced by ElGamal is similar in concept, but uses the difficulty in computing discrete logarithms rather than the difficulty in factoring large numbers.44 In this scheme the sender selects three numbers, p, q, and g, which taken together become the public key. p must be a prime (between 512 and 1024 bits in the proposed standard), q is a prime divisor of p-1 (specified as having 160 bits in the proposed standard). g is calculated from p and q in a specified manner.45 The user then selects the private key, e, randomly, computing the public key, d, from the expression: d = g e ( mod p). (9) The security in this method (which is not permutable, and therefore does not directly provide the confidentiality function) is in the asymmetry in the difficulty of computing e, knowing only d and p. That process is known as taking a discrete logarithm and is comparable in difficulty to the factoring problem.46 The keys are used somewhat differently in the DSS scheme than in the RSA scheme. Here, two "signatures", r and s, are appended to the plaintext message: r = ( g k (mod p) ) ( mod q ); Id . 44 ElGamal, supra note 12. 45 g = j |(p-1)/q| (mod p), where j is a random number less than p which satisfies: j |(p-1)/q| (mod p) > 1. 46 Ford, supra note 12 at 81-84. 43 - 14 - (10) Pinsky/ Digital Signatures s = ( k-1 * (H + e*r) ) ( mod q ); (11) where p, q, and g, are included in the public-key. k is any random number less than q, and k-1 is given by: k * k-1 ( mod q ) = 1. H is the hashed digest of the message. The hashed digest is discussed in section 5, infra . Conceptually one can think of the digest as a short form of the message, M. Upon receipt, the signatures are verified using the public-key numbers: p, q, g, and d. Their successful use serves to authenticate the origin of the message as being the same as the origin of the public keys. First the hashed digest is recalculated from the plaintext message as received, and it is used along with the public-keys and the received value for s to compute a new value, v,47 which must be exactly equal to the value for r as received to establish the validity of the message. The successful use of the hashed digest in calculating v provides both the seal function and the integrity function, as it is not possible for the recipient (or any intercepting party) to change the message in any way and preserve the equality of v and r without knowing the private key, e. The DSS scheme requires considerably more effort on the deciphering end as compared to the enciphering operation. By comparison the RSA technique is more balanced at each end.48 Further, as noted supra 49 the DSS scheme as proposed, does not provide the confidentiality function whereas the RSA scheme is easily employed to provide all four functions.50 4) Hashing and Digests For those who may be interested, v = ((gu1 * du2 (mod p) ) ( mod q ), where: u1 = (H' * w) (mod q); u2 = (r' * w) (mod q); and w = (s')-1 (mod q). H' is the recalculated hashed digest and r' and s' are the received values of r and s. Id . at 81-83/ 48 Id . at 83. 49 See supra note 43 and accompanying text. 50 See supra note 35 and accompanying text. The four functions are: authentication; seal; integrity; and confidentiality. See supra note 12 and accompanying text. 47 - 15 - Pinsky/ Digital Signatures Hashing refers to the process of creating a string of characters known as a digest by a mapping from the full plaintext message.51 The algorithm used to form the digest from a particular plaintext message is typically designed with the seal function in mind. That is if any character in the plaintext message is changed then the digest will change also. It is likewise essential that each individual plaintext message result in a single unique digest. Finally, it is sometimes useful if the plaintext message cannot be feasibly reconstructed from the digest.52 The digest generated for use with digital signatures is typically of a fixed length which is chosen to be small enough to be comfortably enciphered as the message surrogate in the construction of the actual digital signature with the private-key. This allows very large plaintext messages to be represented in the digital signature formation by a string of known and suitably short length. This is the principle motivation for using hashing. Since the PKE schemes require that the message lengths be smaller in character length than the modulus used, and the calculation times go up as the modulus size is increased, enciphering entire large messages in one operation is impractical. Even when the large message is broken into a sequence of smaller segments the total time required to encipher and decipher the message may be prohibitive.53 To function on the receiving end of a message, the hashing algorithm must be known to the recipient. It is then applied to the full plaintext part of the received message. The resulting digest is then used to verify the digital signature. Even the change of a single bit in the digest will result in a failure to verify the signature.54 Note that when used in this fashion, the plaintext is sent as part of the body of the message and the confidentiality function is forfeited. 51 52 53 54 Ford, supra note 12 at 75-77. See e.g. Article 1.10, Hash Function in ABA-DSG supra note 7. Ford, supra note 12 at 79-80. Id. at 75-77. - 16 - Pinsky/ Digital Signatures One common technique to assemble digests is called the cyclic redundancy check [hereinafter CRC ]. A CRC samples bits horizontally according to some repetitive scheme across the characters in the plaintext message field. For example the simple parity of the sum of all of the corresponding bits from character to character through the message might be written into a single bit in the digest. (e.g. take the sum of all the least significant bits from every character in the full plaintext message. If the resulting sum is even, the first bit in the digest will be set to 0, if it is odd then that bit is set to 1. Other characters in the digest can be calculated using modular arithmetic, and by zig-zagging through the bits from the plaintext characters according to some particular scheme. The resulting digest can be constructed so as to provide that even a change in a single bit in the plaintext will necessarily change at least one bit in the digest, and no reasonable conspiracy of multiple changes will result in the fluke reconstruction of the original digest. Thus when the digest is enciphered as the message surrogate in the PKE digital signature, the seal function is provided. Any corruption in the plaintext message will result in the calculation of a digest which will differ from the one obtained from the deciphering of the digital signature with the public-key.55 At present the design of good hash functions has proved somewhat problematic, but there are some which are presently in widespread use, and so far appear to be credible.56 C. What are the Disadvantages and Vulnerabilities of the PKE Schemes The primary disadvantage of the PKE schemes when compared with some of the alternatives is the computational complexity and the attendant calculational time required. For short cryptic messages, the time overhead is small, but for large messages where confidentiality is required, the enciphering and deciphering times can become considerable.57 Another non- 55 56 57 Id . Id . at 84, and Mitchell, et. al. supra note 12 at 325. Ford, supra note 12 at 79. - 17 - Pinsky/ Digital Signatures negligible consideration is the communications overhead. The fact that the length of the messages can be significantly increased by the addition of the signature appendices, again especially when confidentiality is required in a long message, impacts the total volume of traffic on the computer networks.58 Both of these factors can be represented as an economic cost in terms of the increased quantity of resources required to proceed using PKE digital signatures as compared with the alternatives. As pointed out initially59 the authentication function of PKE techniques are only as reliable as the ability to associate the public key with the author. Much of the discussion of the legal and statutory infrastructure needed to implement digital signatures revolves around this issue.60 The essence of the utility of the PKE schemes is the ability to execute legal transactions remotely between parties without the requirement that they exchange anything other than by purely electronic means. Adding a requirement that they physically exchange some article to establish authenticity, would defeat the essential advantage that PKE schemes have over all other present alternatives. There is no presently known method to establish absolute authenticity arbitrarily by strictly electronic means. All present solutions require the establishment of some type of certification authority, which acts as a repository for public-keys and vouches for the relationship between a particular public-key and its supplier.61 Any method which defeats that association, defeats all 4 functions provided by the PKE technique.62 All proposed PKE techniques rely on a mathematical asymmetry in the difficulty between a particular process and its inverse. The discovery of an algorithm for the difficult side of the process allows the calculation of the private key from the public key, and with it the defeat of all 58 59 60 61 62 Id . See supra note 13 , and accompanying text. See infra Part 4(A). See Longley supra note 12 at 345-348. Id . - 18 - Pinsky/ Digital Signatures 4 functions. At present, the processes chosen show no signs of yielding,63 but one must be eternally vigilant to the possibility. Finally, there is the problem of physical security. The private key must be safeguarded. Should the private key come into the possession of one other than the proper owner, then of course that person could send messages purporting to come from the proper owner. This is a significant problem, since private-keys are necessarily loaded into computers at some point in the enciphering process. The unauthorized access to a machine containing a private-key carries with it the threat that the private-key will be compromised. This can occur in subtle ways. For example, in addition to the direct method of simply downloading the value to the attackers computer, an attacker may gain enough information about the nature of the private key to allow dramatic short-cuts to be taken in external attempts to calculate the private-key. For example, it was recently reported64 that by observing the precise times that a particular CPU takes to run a known deciphering algorithm with known messages and a particular private-key,65 one can reduce the problem of calculating the value of that private-key from the known public-key to a one which requires only a few minutes. While a simple fix has been implemented to thwart this potential attack,66 even in the remote cases where it is possible to make such observations, it serves to illustrate the potential for compromise in subtle ways. III. Why do we need digital signatures? See notes 41 and 43 and the accompanying text. 64 John Markoff, Secure Digital Transactions Just Got a Little Less Secure , N.Y. TIMES (National ed.), Dec. 11, 1995, at A1, C4. reporting on the work of Paul C. Kocher. 65 Id . In this case the public-key is being used in an RSA scheme to encipher known messages sent back to the key owner, who is then observed (measuring the CPU execution time required) while she uses her private-key to decipher those messages within her own computer. 66 Id. at C4. 63 - 19 - Pinsky/ Digital Signatures A. Authentication Perhaps the prime function for digital signatures is to provide the same significance that conventional handwritten signatures connote. These can be broken into 4 categories: evidence , approval , ceremony , and efficiency .67 All of these functions concern the issue of authentication. The evidence function refers to the ability to determine the identity of the signer of the document.68 It makes the document attributable to the signer. Approval is the function that indicates the signer's intention that the document have legal effect.69 The ceremonial function is sometimes referred to as the cautionary function.70 By this it is meant that the solemnity of signing draws the signer's attention to the significance of the proceeding. Finally, the efficiency function refers to the significance that the presence of the signature on that document has for general viewers. For example the signature of the CEO of a corporation on a memo, might lessen the tendency of the employees to inquire or question the content. This function has been likened to the symbols of authentication on currency.71 In order to allow commercial and legal transactions to occur over electronic networks, these traditional functions must be provided by some mechanism. As described in the part II(A)(2), supra , digital signatures are capable of providing such a mechanism along with additional benefits that conventional handwritten signatures cannot. Each of these capabilities will be considered in turn. 67 ABA-DSG supra note 7 at 4. See also Joseph M. Perillo, The Statute of Frauds in the Light of the Functions and Dysfunctions of Form , 43 FORDHAM L. REV. 39, 48-64 (1974) [Hereinafter Perillo ]. 68 RESTATEMENT(SECOND) OF CONTRACTS, statutory note preceding § 110 (1982). See also Lon L. Fuller, Consideration and Form , 41 COLUMBIA L. REV. 799, 800 (1941) [Hereinafter Fuller ]. 69 Uniform Commercial Code § 3-204. 70 Perillo, supra note 65 at 53-56, and Fuller, note 66 supra at 800. 71 See Perillo, supra note 65 at 50-53, and Fuller, supra note 66 at 801-02 - 20 - Pinsky/ Digital Signatures 1. Identifying the Signer If a signature of any sort is to be of use, it must be attributable to the person who affixed it. The detection of forgeries of conventional handwriting is itself quite problematic.72 Digital signatures provide a considerably greater reliability for identification of the possessor of the private-key as the signer of a particular message than does a conventional signature on a paper document.73 The difficulty comes when one wishes to associate the holder of a particular private-key with an individual person. This cannot be done electronically, but "must be made by people using the fact-finding capabilities of their senses."74 In practice that association involves considerable effort. If the signer and the recipient must physically meet to authenticate the key association, the whole point of using electronic communication is defeated. An alternative is to resort to a trusted third party to shoulder the burden of verification of the identity of the key holder, and then to certify that information to the recipient. Such a third party is known as a certification authority [hereinafter CA ].75 The need for a CA naturally leads to the issue of certifying the CA itself. This then conjures up the image of a hierarchy of CAs, each of which must be consulted in turn to verify the authenticity of the previous authority consulted. Practically, that means that the message that the first CA sends to verify the value of the original signer's public-key, must itself be digitally signed. The public-key for that digital signature is supplied by the next level CA, which of course must be digitally signed, and so on. Clearly, at some point it must end. Statutory See e.g. U.S. v. Starzecpyzel, 880 F. Supp. 1027, 1047 (S.D.N.Y. 1995), concluding that forensic document examination is not a science, but a skill like that possessed by an experienced artisan. The testimony of such experts may be useful to the trier of fact, but cannot be presented as scientifically based. 73 ABA-DSG supra note 7 at 7. 74 Id. at 11. 75 Id . See also Longley, et. al., supra note 12 at 345. and Ford, supra note 12 at 93-97. 72 - 21 - Pinsky/ Digital Signatures provisions have been adopted in Utah76 in the Utah Digital Signatures Act [hereinafter UtahDSA ], and are embodied in the Digital Signature Guidelines being drafted as model legislation by the Information Security Committee of the Section of Science and Technology of the American Bar Association [hereinafter ABA-DSG ]77 Both of these schemes provide for the licensing of private CAs including their responsibilities78 and liabilities,79 and for the establishment of a government CA to certify licensed CAs.80 Note that under the Utah-DSA CAs are not required to be licensed, but the compliance with the licensing provisions affords a limit to liability, and an exemption from punitive damages.81 The establishment of a hierarchy of CAs cannot, however, overcome the initial problem that the first CA has in determining the identity of the individual wishing to be certified (generally termed the subscriber ). At some point, either a physical identification must occur, or a remote investigation by the CA sufficiently convinces them that the identity of the subscriber has been established to the required level of confidence.82 The issue of CA liability is considered in part IV(C) infra . The actual information available from the CA is called a certificate , and consists of a message which includes: 1) the identity of the CA; 2) the name of the subscriber; U.C.A. 1953 s 46-3, Utah Digital Signature Act . 77 ABA-DSG note 7 supra . 78 U.C.A. 1953 s 46-3-202, -207, and 304, -307, and ABA-DSG note 7 supra at Art. 3. 79 U.C.A. 1953 s 46-3-308, and ABA-DSG supra note 7 at 3.16. 80 U.C.A. 1953 s 46-3-501, and ABA-DSG supra note 7 at 3.7, noting in comment 3.7.2 that a CA's certificate must be conveniently available for reference in a trustworthy manner, falling 76 short of Utah's absolute requirement for licensed CA's certificates to be available from a government CA. 81 U.C.A. s 46-3-201(5)(b). 82 ABA-DSG supra note 7 at 11. The level of confidence is a question of fact related to the objective reasonableness standard applied in the case of a tort action predicated upon a loss proximately caused by reliance on that certificate (i.e. where it turns out not to be from the subscriber purported), ABA-DSG supra note 7 at §§ 3.16 and 5.3, and U.C.A. 1953 s 46-3-301, 304, 308. - 22 - Pinsky/ Digital Signatures 3) the subscriber's public key; and 4) the digital signature of the CA issuing the certificate.83 The use of such a certificate by the recipient of a message, thus allows the verification of the association of the party holding the private key with the subscriber named. Again this association is limited by the presumption that someone other than the subscriber has not come into possession of the private-key, either by some form of misappropriation or by a successful attack on the enciphering algorithm. Related to the function of CAs, are collateral entities known as repositories .84 These are certificate databases which are maintained on line for general access purposes. It is most likely that CAs may simultaneously operate their own repository service, but the functions of issuing the certificate and maintaining the on-line database are two separate and distinguishable endeavors that carry their own particular duties and liabilities.85 Further, large generally accessible repositories may be set up, accepting certificates from many different CAs. Such repositories might improve the general access to certificates by insuring a higher and more uniform quality of service. 2. Verification of Content One of the strengths of the digital signature technique is the ability to provide the seal function. Through the use of hashing, or by enciphering the entire plaintext message, the 83 ABA-DSG supra note 7 at § 1.4, and U.C.A. 1953 s 46-3-104, requiring in addition: a description of the algorithms used; a unique serial number to that certificate; the date and time the certificate was issued and the date and time on which it takes effect; the expiration date of the certificate; and the recommended monetary reliance limit for any transactions to be based on the use of that certificate. 84 ABA-DSG supra note 7 at § 1.24, and U.C.A. 1953 s 46-3-103(29). 85 See e.g. U.C.A. 1953 s 46-3-502, providing that CAs may set up repositories or they may be separately licensed; and U.C.A. 1953 s 46-3-504, exempting repositories from all liability associated with reliance upon certificates issued by a licensed CA. - 23 - Pinsky/ Digital Signatures verification of the digital signature carries with it the verification that the contents of the message are unchanged from the version that was signed with the private-key. Note that this verification is two-way. The recipient is assured that the message was not intercepted enroute and modified. Furthermore, because the recipient can only access the public-key, he cannot modify the message either. Thus, if subsequently called upon to produce a copy of the message that he received, the verification of the digital signature at that time would again confirm that the message had not been tampered with by any party. This differs from the so-called symmetric encryption schemes discussed in Part V, infra , where the recipient can verify the non-alteration of the message in transit, but the possession of the symmetric key allows him to modify the contents upon receipt and reconstitute the seal, creating a message that appears facially valid and shows no evidence of alteration. Clearly the PKE scheme is superior, and allows the recipient to produce a copy of the message received in court with a prima facie presumption of validity.86 3. Non-Repudiation (Attribution & Approval) Along with the association of the message with the holder of the private-key, the verification of the digital signature carries with it the presumption that the subscriber affixed (or otherwise authorized the application of) the signature to the message with the intention to authenticate.87 This allows the use of a digital signature in any manner in which a valid handwritten signature may be used,88 and with that any limitations from the common law on the ABA-DSG supra note 7 at § 5.6 and comments, and U.C.A. s 46-3-401. The presumption is of course rebuttable, by proof that the certificate was not valid for some reason, or that the subscriber had either lost control of the private key or that it was somehow discovered, and the subscriber can satisfy the burden of proof that the message did not come from her. See ABADSG at comment 5.6.2. 87 U.C.A. s 1953 46-3-401(3), and ABA-DSG supra note 7 at § 5.6. 88 ABA-DSG supra note 7 at §§ 5.1, 5.6 and comment 5.6.2, indicating that the digital signature carries with it all of the presumptions associated with a valid handwritten signature. 86 - 24 - Pinsky/ Digital Signatures liabilities incurred by the signing party, such as allowing repudiation where there was a lack of intent to affix a signature,89 and the signing party can present proof sufficient to rebut the presumption of intent. However, in the final analysis, the digital signature is likely to be far more difficult to repudiate than a handwritten signature.90 The most likely reason for repudiation of a digital signature will be claim that the privatekey was compromised.91 This possibility has been considered in both the ABA-DSGs and the Utah-DSA. They both create a duty on the part of the subscriber to exercise reasonable care in keeping the private-key from being compromised,92 and the ABA-DSG expressly requires the subscriber to promptly notify any CAs holding the public-keys corresponding to the suspect private-key upon any reasonable suspicion that it has been compromised.93 However, for some reason, the Utah-DSA is silent on the subscribers express duty in this regard. Again in both the 89U.C.A. s 1953 46-3-401(5)(c). See also Thomas, supra note 8 at 1152, 1161-62, observing that courts have tended to look for the signer's intent, and that when tied to the technology, it may be possible to argue that where the use of digital signatures may be technically required like passwords for particular communications, the using party should not necessarily be held to have had the intent to sign, and Douglas Robert Morrisson, The Statute of Frauds Online: Can a Computer Sign a Contract for the Sale of Goods? , 14 Geo. Mason U. L. Rev. 637, 661 (1992) [Hereinafter Morrisson ], pointing out that intent to sign is a question of fact whether it was more likely than not that a particular use was authorized. 90 Given the potential technology available to forge handwritten signatures, the possibility to construct such a forgery is far greater than attacking the PKE mathematical algorithms. See e.g. U.S. v. Starzecpyzel, supra note 72. 91 Longley, et. al., supra note 12 at 348-49, pointing out that situations where the private-key could be misappropriated likely represent the greatest threat to the reliability of digital signatures. 92 U.C.A. s 1953 46-3-303, establishing the reasonable care standard, and ABA-DSG supra note 7 at § 4.3, expressly declining to establish the precise standard of care, but referencing the Utah-DSA and alternative possible standards. 93 ABA-DSG supra note 7 at § 4.4., and ABA-DSG note 7 supra at § 4.4. This creates a negligence standard of reasonable care on the part of the subscriber. - 25 - Pinsky/ Digital Signatures CA has a duty to give suitable public notification of suspension94 or revocation95 of a that certificate.96 The CA has a duty to revoke or suspend a certificate should it become aware of its invalidity. However, the CA does not have any duty to monitor the use of the certificates to affirmatively look for developments that warrant suspicion that a private-key may have been compromised.97 4. Ceremony The ceremonial function is perhaps of greater significance in the use of digital signatures than for handwritten ones. The likelihood that one will inadvertently sign a document by hand is somewhat remote. However, given the nature of computers, the poor design of application software might well provide for the default appending of a digital signature on all messages without the necessary individual affirmative act on the part of the signer. If digital signatures are to be accorded the status of handwritten ones, binding the owner to approval of all documents to which they are attached, it is important that their actual use be particularly ceremonial. For example, the signature might be kept on an external media such as a floppy disk or a PCMCIA98 card, where the act of applying a digital signature requires the physical insertion of the disk or The temporary invalidation of a certificate for some specified period of time, ABA-DSG supra note 7 at § 3.11, and U.C.A. s 1953 46-3-103(35). 95 The permanent removal of a certificate from use, ABA-DSG note 7 supra at § 3.12, and U.C.A. s 1953 46-3-103(31). 96 ABA-DSG supra note 7 at § 3.14, and U.C.A. s 1953 46-3-302, -306. 94 ABA-DSG supra note 7 at § 4.4, and comment 4.4.2, but see U.C.A. 1953 s 46-3-207(1), mandating that, although not expressly assigned a duty to look for suspicious activity, a CA may not conduct its business in any manner that creates a commercially unreasonable risk for either subscribers or persons relying on the certificates. 98 PCMCIA is an acronym for Personal Computer Memory Card International Association and refers to a standard that has become the default choice for plug-in cards for personal computers, Patrick Dryden, Uncommon Cards for Uncommon Slots: PCMCIA Magic is no Easy Trick, but as Standards Begin to Settle, More Products Emerge , 55:10:5 LAN TIMES, March 8, 1993. 97 - 26 - Pinsky/ Digital Signatures card into the machine at the time of fixation or transmission. This type of implementation would be difficult to mandate, but the reasonable care standard for the protection of private-keys, likely will be found to extend to the care in use by the owner as well as the care that they not be compromised by coming into the possession of others. As mentioned in section 3, supra , both the ABA-DSGs and the Utah-DSA provide a presumption of intent to affix, but both make that presumption rebuttable.99 The ABA-DSGs suggest that the subscriber use a suitable form of application software including password protection, but neither mandates its use nor discusses the standard of care for insuring that all uses by the owner are indeed intentional.100 The UtahDSA is silent on this issue. 5. Determining the Time of Signing In instances such as those where the "mailbox" rule applies, the exact time that the message was irrevocably committed to transmission to the recipient may be dispositive.101 This is somewhat problematic for digital signatures. The present schemes do not provide for any accurate determination of the time of sending or signing of a message by the subscriber. The only provision for authentication of a time is the existence of a time stamp from a CA.102 However, this service only serves to establish the time that the recipient chose to verify the digital signature via a CA that provided a time stamp.103 Thus the time stamp only serves to determine that the digital signature was affixed and the message was sent some time prior to the See supra notes 85-88 and accompanying text. 100 ABA-DSG supra note 7 at § 4.3 and comment 4.3.2. 101 RESTATEMENT (SECOND) OF CONTRACTS § 63, setting out that the acceptance of an offer is effective at the time a properly addressed message is "mailed" without regard to its eventual proper receipt. 102 ABA-DSG supra note 7 at § 1.29, and U.C.A. s 1953 46-3-103(36). 103 ABA-DSG supra note 7 at § 5.6(4), and U.C.A. s 1953 46-3-401(4) 99 - 27 - Pinsky/ Digital Signatures time stamp. Litigants would have to resort to extrinsic evidence to establish any earlier time as applicable to the validity of the message.104 B. Satisfaction of Legal Signing Requirements 1. The Statute of Frauds, the UCC, Real Estate, and the Parol Evidence Rule Chapter 5 of the RESTATEMENT (SECOND) OF CONTRACTS comprising §§ 131-137 expressly require signed writings under certain conditions for the contracts to be valid. § 134 specifically addresses the issue of signatures and allows any symbol that manifests the intent of the signer to be bound to satisfy the requirement. Courts have generally tended to be very liberal in finding this requirement to be satisfied,105 and there is no reason to believe that digital signatures will provide any particular problems, except as noted in Part III(A)(3), supra , where there is a genuine question regarding the intent of the signer. The UCC also embodies the Statute of Frauds in § 2-201. As digital signatures are typically valid as replacements for handwritten signatures, no conflicts with the statute of frauds is likely to occur. The Parol Evidence Rule also warrants a mention in this context.106 When parties have reduced their agreement to a writing intended to be the integrated expression of that agreement, extrinsic evidence of additional inconsistent terms from prior agreements is inadmissible to determine the scope of the final agreement. An electronic document is likely to be found sufficient to satisfy the parol evidence rule's requirement for a writing, and the authentication of ABA-DSG supra note 7 at § 5.6 and comment 5.6.2, and U.C.A. s 1953 46-3-401(4)(b), allowing the finder of fact to conclude based upon other evidence that the message was sent at some specific earlier time. 105 See Morrisson, supra note 87 at 654, discussing the courts general acceptance of "signed" telegrams and suggesting the likelihood of their similar acceptance of electronic signatures. 106 UCC § 2-202, and RESTATEMENT (SECOND) OF CONTRACTS § 213. 104 - 28 - Pinsky/ Digital Signatures that document by the presence of digital signatures will also likely be found to be sufficient to make the agreement binding where a handwritten signature on a conventional paper document would have been sufficient.107 At present there is no case law on this issue. Finally, even though the Statute of Frauds, expressly includes all conveyances of real property,108 under the law of most states, the common law forms of conveyance have been replaced by statutory forms for deeds.109 Thus the formal requirements for a signed writing to accompany the conveyance of real property now has a legal basis separate from the Statute of Frauds.110 At present, only the Utah-DSA would address the ability to conduct such a transaction wholly electronically, satisfying the statutory deed signing requirements via a digital signature. There is no case law at present concerning this aspect of the use of digital signatures, but there is no reason to believe that ultimately this form of transaction will also become commonplace in real estate as well. 2. Submissions to Courts and to the Government Beyond the issues in commercial transactions and contract formation, there are numerous examples of where a signature is required on documents submitted to courts,111 and on 107 ABA-DSG supra note 7 at § 5.1 and comments 5.1.1-12, listing all of the known formal signature and writing requirements within the U.S. 108 UCC § 2-202, and RESTATEMENT (SECOND) OF CONTRACTS § 213. 109 ABA-DSG supra note 7 at § 5.1 and comments 5.1.2, citing Roger Cunningham, William Stoebuck and Dale Whitman, THE LAW OF PROPERTY § 1.6 at 761 (2d ed., 1993). 110 ABA-DSG supra note 7 at § 5.1 and comments 5.1.2, citing 9 George Thompson, THOMPSON OF REAL PROPERTY § 82.03(b)(3), at 291-92 (Thomas ed., 1994). 111 See e.g. FED. R. CIV. P. Rule 11, Signing of Pleadings, Motions, and Other Papers; Representations to the Court; Sanctions . - 29 - Pinsky/ Digital Signatures documents submitted to the government.112 The present, there are no statutes providing for the general use of digital signatures to satisfy all signature requirements on such documents submitted to the Federal courts or government, Utah is the only state government to adopt statutes legalizing the use of digital signatures, and even this watershed legislation expressly exempts submissions to the Utah State Tax Commission.113 It is foreseeable that as digital signature legislation increases, all writing and signature requirements will be able to be satisfied electronically. IV. What Burdens Do Using Digital Signatures Create? A. The need for Certification Authorities The first major infrastructure impact of enabling the commercial use otherwise legal use of digital signatures is the need for CAs.114 Although the private sector is capable of supplying the needs by charging user fees, there is a clear need for legislation to license and regulate these entities, and for official government run CAs.115 The cost of operating the government entities can be paid for via general revenue, or through the use of user fees, but in either case they represent a net additional economic cost to society that handwritten signatures do not incur. Perhaps the cost will be offset by the reduction in the actual use of paper, but the use of purely See e.g. INT. REV. SERV. Form 1040, U.S. Individual Income Tax Return , and the Form 1040PC, expressly providing for electronic filing. Presently electronic filing must be made 112 through designated third parties who do receive conventionally signed copies of the form. 113 At present Utah is the only state adopting legislation legitimizing digital signature use, and U.C.A. s 1953 46-3-402, expressly exempts submissions to the Utah State Tax Commission from the act. 114 See supra the discussion in the text accompanying notes 74-83, . 115 See generally ABA-DSG supra note 7 ; the Utah-DSA, U.C.A. s 1953 46-3, and the discussion in Ford, supra note 12 at 93-97, urging that ultimately there will be a need for a Federal U.S. national CA, and possibly an International CA regulated by treaty. - 30 - Pinsky/ Digital Signatures electronic documents has its costs as well. Not only does one need to provide the actual media upon which the documents are stored, along with any provisions for archival backup copies, but the added costs of the hardware to create, transmit and view the documents must be included in the calculation too.116 Once the CAs exist, then one can expect a whole new jurisprudence to develop. The only analogous entities in the present legal structure are notaries,117 and they differ sufficiently in function from CAs to effectively require a separate judicial approach.118 One example of a new problem stems from the computer's inherent capability to record and rapidly recall all prior transactions. CAs could easily record and track the parties involved in all transactions that made use of their subscribers certificates. Such data might subsequently be the subject of a subpoena, or be sold to commercial data bases, raising privacy issues.119 Such data is also likely to be commercially valuable in many instances, raising similar privacy issues to those raised with regard to telephone records.120 The post office by comparison, is not physically capable of tracking for later recall, all of the signed correspondence between arbitrary parties, whereas the telephone company could more readily do so. The privacy laws affecting these other forms of communication will likely have an influence on statutory and judicial treatment of these issues with respect to the implementation of digital signatures. I have been unable to discover any arguments or detailed compiled data by advocates of electronic documents or digital signatures on the net economic costs of their implementation. However, the literature is abundantly sprinkled with examples of the benefits. See e.g. Long & 116 Long, supra note 1 . 117 See ABA-DSG supra note 7 at § 1.17 and comment 1.17.2, detailing the differences between notaries in various countries and their distinction from CAs. See also Michael Baum and Henry Perritt, ELECTRONIC CONTRACTING, PUBLISHING, AND EDI LAW 211-14 (1991). 118 Id . 119 See ABA-DSG supra note 7 at § 3.10 and comment 3.10.1,and see generally M. Ethan Katsh, LAW IN A DIGITAL WORLD 227-36 (1994), and Longley, et. al., supra note 12 at 328-333. 120 See e.g. Longley, et. al., supra note 12 at 328-333. - 31 - Pinsky/ Digital Signatures B. The Liability of Certification Authorities With the creation of CAs and the creation of responsibilities and duties for them, comes the issue of their liability. One could, of course, simply assign a negligence standard and allow the judicial process to function as it does in most other areas of the law. The difficulty with that approach is the sums of money potentially involved in the transactions that will occur are so substantial that the risk of liability would require user fees that would make the operation of CAs cost prohibitive.121 The solutions employed and proposed revolve around setting liability limits. For example the Utah-DSA exempts the CA from any liability where it has been properly licensed, and followed the requirements of the statutes.122 Basically, this protects the CAs from liability where the subscriber misrepresented information in applying for the certificate, and that certificate was relied upon by some party, that reliance being the proximate cause of some harm.123 The CA must comply with the all of the statutory requirements in issuing the certificate to be afforded this protection.124 The catch is that the statute requires a some standard of care by the CA, so there could still be liability where the claim would be for a breach of that duty.125 When the statutory provisions which are intended to shield the CAs from liability, do not protect them from claims of negligence, there are additional methods to limit liability. The UtahSee ABA-DSG supra note 7 at § 3.16 and comments 3.16.1-2, observing that the limitation of liability is necessary to encourage business to enter these uncharted waters. 121 U.C.A. 1953 s 46-3-308. 123 U.C.A. 1953 s 46-3-308, and ABA-DSG supra note 7 at § 3.16 and comments 3.16.1-2. 124 Id . 125 ABA-DSG supra note 7 at § 2.3 and comment 2.3.3, pointing out that reliance on the digital signature for verification is foreseeable, and thus civil liability may accrue where the CA breaches its applicable duty of care. The Utah-DSA makes the standard simple negligence, U.C.A. 1953 s 46-3-301, and the ABA-DSGs at comment 2.1.4 specify "commercially reasonable under the circumstances". 122 - 32 - Pinsky/ Digital Signatures DSA includes a provision to specify a reliance limit in the certificate itself.126 Then, the CAs liability is limited to that amount including the prohibition of punitive damages, if the CA otherwise complied with the licensing requirements.127 In contrast, the ABA-DSGs do not mention such a provision. Generally, the intention is to encourage businesses to enter this field and make digital signature technology available rapidly on a wide scale.128 The flavor of the statutes is to grant CAs broad exemptions from liability as part of the process of encouraging their entry into this field.129 One might predict that as the field matures, the courts will adjust their treatment of liability to suit the commercial reasonableness of the behavior of the CAs.130 C. Are they an Expression of Intent? As was noted in Part III(A)(3) supra , at common law and in the Statute of Frauds, any mark made with the intent to authenticate is acceptable as a signature.131 The courts will almost certainly use this same test where digital signatures are required.132 When the signer is simply negligent in the use of a digital signature, liability will still most likely attach.133 However, when the conduct of the signer does not represent a breach of a duty sufficient to trigger liability, then genuine questions of intent regarding the use of a digital signature may be sufficient to render 126 127 U.C.A. 1953 s 46-3-104(1)(j). U.C.A. 1953 s 46-3-308. ABA-DSG supra note 7 at § 3.16 and comment 3.16.1. 129 Id . 130 See e.g. Thomas, supra note 8 at 1150-52, 77-78, discussing judicial adaptation to the evolution of the use of telegraphy in business transactions, and opining that a similar adaptation will occur in their treatment or the use of electronic media. 131 See supra notes 83-87 and accompanying text. 132 See Thomas, supra note 8 at 1161-1164. 133 See e.g. U.C.A. 1953 s 46-3-303(1), invoking a simple negligence standard. 128 - 33 - Pinsky/ Digital Signatures them ineffective to bind the signer. Consider a case where the subscriber is required by the choice of the recipient's software to use digitally signed communications only, as a method of providing security and identification of senders. A digital signature attached for that purpose might not have been attached to legally bind the signer to the contents.134 Rather it would serve the same function as buying and affixing a postage stamp to a letter, rather than the function of signing the enclosed document. Another potential difficulty which digital signatures present is the possibility that computer to computer communication will be made using them to authenticate the message.135 The issue for the law is again, intent. Where no affirmative act occurred in the actual fixation of the signature, the question of intent is secondary. Clearly, the decision to allow the computer to affix the signature is something under the control of the signer at some point in time. However, it is conceivable that the intent and the reasonable expectation of the signer when enabling such a feature, might not correspond with the prima facie liability that might accrue when the signature is attached by the computer.136 At present, this is beyond the leading edge of the law.137 D. 134 The Best Evidence Rule See Thomas, supra note 8 at 1152, 1161-62. Joel R. Wolfson, Information Transactions of the Information Superhighway: Its not just Software Law Anymore , 11 J. Proprietary Rts. 2 (1994) n.17-21 and accompanying text [Hereinafter Wolfson ], observing that the issue of computer to computer communication where no human being affixes a signature is beyond the leading edge of present law. 136 Note that both hardware and software errors might be culpable in such a case , rather than simple negligence on the part of the signer. Note that the Utah-DSA only provides a rebuttable presumptions of intent and validity, see U.C.A. 1953 s 46-3-401(5). 137 See supra note 133. 135 - 34 - Pinsky/ Digital Signatures One area of the law that has nicely anticipated the use of electronic documents is the law of evidence.138 The potential problem with the Best Evidence Rule has been circumvented by the provision in Rule 1001(3) of the FEDERAL RULES OF EVIDENCE that expressly provides that "[i]f data are stored on a computer or similar device, any printout or other output 139, readable by sight, shown to reflect the data accurately, is an original " [emphasis in the original].140 Thus, courts will have no difficulty admitting as originals, electronic copies of documents that have been digitally signed, since they can be shown to reflect the data accurately.141 Recall that a document offered to prove the truth of its contents is still hearsay, therefore a hearsay exception such as FED. R. EVID. 803(6) Business Records exception must be found to complete the admissibility argument. There is no reason to anticipate that digitally signed electronic documents will be treated any differently in this regard than any other business records.142 The associated problem of situations where only the original should exist presents a problem for digitally signed documents. Perhaps the most problematic example is the use in commerce of documents that are themselves negotiable instruments. A signed check for example. If one were to create an electronic version of a negotiable instrument, then since electronic copies are essentially indistinguishable, one could produce any number, presumably all equally negotiable. Several solutions are possible to deal with this type of problem. First, one could allow electronic documents to be negotiable instruments only where the fund transfer See Thomas supra note 8 at 1167-68, pointing out how the potential for controversy has been nicely mooted by the Art. X of the FED. R. EVID. See also ABA-DSG supra note 7 at § 138 5,5 and comments 5.5.3; and Stanley A. Kurzban, Authentication of Computer-Generated Evidence in the United States Federal Courts , 35 IDEA: J.L. & Tech. 437 (1995). 139 This allows one to remain in the paperless world by simply displaying the document on a computer terminal. There is no express requirement for a hard copy. 140 FED. R. EVID. Rule 1001(3) 141 See Thomas supra note 8 at 1167-68; 142 See generally Peter N. Weiss, Electronic Documents: Steps Toward Developing A Security Policy , 12 J. MARSHALL J. COMPUTER & INFO. LAW 425, 429-32 (1993) - 35 - Pinsky/ Digital Signatures actually accompanied the digitally signed communication transaction.143 Another solution is to require a unique serial number on each such instrument, and provide that it would be honored for payment only once.144 Other suggestions include establishing central registries and the adoption of emulated currency, as well as the banning of the creation of electronic negotiable instruments.145 This allows for fraud where an unauthorized party intercepts the message, and submits the enclosed negotiable instrument for payment prior to the submission by the intended recipient. Similar type problems occur when electronic documents grant title to property such as a bill of lading.146 As the property is unique in principle, and the document is not negotiable, the fraud possibilities are essentially identical with those encountered when using written documents. Many countries are moving towards acceptance of electronic documents for customs purposes.147 E. Fraud Possibilities Among the unfortunate certainties in life is the assurance that attempts to defraud others will be present so long as our species exists. This tendency is proportional to the probability of surreptitious success. When introducing any new feature to society, one is always well counseled the carefully consider the potential for fraud. At the same time, one can rest assured that should there be any significant opportunities for the dishonest, they will be quickly discovered and exploited. The hope is to anticipate the most obvious and patch the law as now loop-holes are revealed. The following is a brief list of places where potential opportunities for such exploitation might possibly exist. This is the solution taken by the Utah-DSA, U.C.A. 1953 s 46-3-403. See also ABA-DSG supra note 7 at § 5.7, declining to adopt a final solution to the problem of negotiable instruments 144 See ABA-DSG supra note 7 at § 5.5 and comment 5.5.6 145 Id . 146 See Stasia M. Williams, Something Old, Something New: The Bill of Lading in the Days of EDI , 1 Transnat'l L. & Contemp. Probs. 555, 571-574 (1991). 147 Id . at 572. 143 - 36 - Pinsky/ Digital Signatures First on the list is the possibility to corrupt the system itself. The weakest link is the association of an individual with a certificate from a CA. The Utah-DSA requires that certificates only be issued after receipt of a "signed" application.148 However, the act also provides that a digital signature is good for all signature purposes, and does not expressly exclude applications for certificates from CAs.149 Thus, once an individual obtains a single certificate, she is immediately assisted in getting as many others as needed based on the first one. Thus, even if the first certificate is obtained by fraud or misrepresentation, and that conduct is subsequently discovered, if the subsequent CAs do not correlate the notice of revocation of the first certificate, the use of the additional certificates may be less likely to be discovered. Another possibility for fraud accompanies the ability of any party, even one who is unidentified to the CA, to request the suspension of a certificate for any reason under the provisions of the Utah-DSA.150 Here as pointed out in the ABA-DSGs, there is the potential for a severe disruption in the subscriber's business. Parties intent on injuring or harassing the subscriber, might be tempted to anonymously wrongly advise the CA that the subscriber's private-key had been compromised. Even a short suspension to confirm the bogus nature of the report, might be sufficiently damaging to the subscriber to satisfy the motives of the wrong-doer. The desire to act quickly to suspend a potentially compromised certificate, must be balanced with the opportunity to commit such a fraud. The present form of the Utah-DSA also has a peculiar loop-hole in duties. The CA has a duty to notify the subscriber if it should become aware of any reason to suspect the compromise of the private-key (or for any other reason that the certificate should be suspended).151 However, 148 149 150 151 U.C.A. 1953 s 46-3-301. U.C.A. 1953 s 46-3-402. U.C.A. 1953 s 46-3-305. U.C.A. 1953 s 46-3-304(2)(a). - 37 - Pinsky/ Digital Signatures the subscriber, although charged with a duty to exercise reasonable care to see that the privatekey is not compromised,152 does not have a reciprocal statutory duty to notify the CA should the subscriber become aware that the private-key has become compromised.153 Although, the subscriber is required to indemnify the CA for any loss due to the subscriber's negligence.154 Although it may be difficult to imagine a scheme to defraud based on this seemingly minor asymmetry in duties, an unscrupulous person might be able to set up a certificate which is provably valid upon creation, and permit compromise to a clandestine accomplice in a fashion that cannot be easily attributed to his intent or negligence. Then upon discovery, disclaim liability for the accomplices use, safe from fault even if it is shown that he was at some point aware, or should have been aware, that the private-key had been compromised. The final suggestion for a potential source of fraud concerns the use of time stamps. Under the normal scheme, it is the recipient who time stamps the message by using a CA that provides a time stamp with the subscriber's certificate. This allows an unscrupulous to hold a copy of the original message until a later time and re-time stamp it to gain the benefit of that later value of the time stamp. The subscriber may of course introduce other evidence that the message was sent at an earlier time,155 but the only mechanism guarantee that the message being sent is time stamped before actual transmission to the recipient is to employ another version of a CA which acts as a third party forwarder adding a time stamp to the message. Provisions for such services are contemplated, but add to the infrastructure overhead.156 V. What are the Alternatives? U.C.A. 1953 s 46-3-303(1). 153 However, the subscriber does have to certify at the time of issue of the certificate that the private-key is not compromised, U.C.A. 1953 s 46-3-302(1)(b). 154 U.C.A. 1953 s 46-3-302(4)(a). 155 U.C.A. 1953 s 46-3-401(4). 156 See ABA-DSG supra note 7 at § 5.6 and comment 5.6.2. 152 - 38 - Pinsky/ Digital Signatures Having discussed the benefits and potential problems of PKE based digital signatures it is reasonable to discuss the possible alternatives. PKE digital signatures are the "new kid on the block" as all of the alternatives that are offered in competition are already in substantial use. First on the list are symmetric cryptosystems .157 These employ the same private key on either end. Authentication is less of a problem since the recipient's key is physically transported to her and identities are . Examples of such systems include telephone calling cards and ATM cards where the user has a unique private-key, known to the phone company or bank as the case may be. In the commercial environment, almost all present transactions employ such symmetric cryptosystems.158 The two most widely used systems are the Electronic Funds Transfer (EFT) system used primarily by financial institutions to transfer funds between institutions, and the Electronic Data Interchange (EDI) system which is the most widely used system in commercial trading.159 The disadvantages of symmetric cryptosystems include the need for each individual pair of potential communicating parties to exchange in advance a common private-key via a secure medium. This creates an enormous procedural overhead in commerce, especially where it is desirable to rapidly establish reliable communication with a geographically remote party. Ironically, PKE technology may lengthen the useful life of many symmetric key based systems by providing a solution to their key distribution problem.160 Although with symmetric cryptosystems there is the same ability as with PKE systems for the recipient to authenticate the content of the message, the recipient's possession of the common key gives her the ability to alter See Ford, supra note 12 at 66-71. 158 Id ; and Longley, et. al., supra note 12 at 327, describing the symmetric cryptosystems used by both the Electronic Funds Transfer (EFT) and Electronic Data Interchange (EDI) systems. 159 See Ford, supra note 12 at 4; and Morrisson, supra note 89 at 637-44. 160 See Rivest, et. al., supra note 10 at 121, pointing out this potential use for the RSA based PKE systems. 157 - 39 - Pinsky/ Digital Signatures the message and re-encipher it with no internal way to detect that the altered message was not the one actually received.161 Also, there is no internal method of obtaining any reliable time stamp for either the dispatch or receipt of the message. The great advantages of symmetric cryptosystems are there relative speed when compared to PKE algorithms, and the high degree of confidentiality for large messages. This is the reason that the government uses such techniques for their transmissions that require the greatest security.162 Also, the length of the message is typically the same independent of encryption, so the net volume of network traffic is not increased by their use. Finally, the actual enciphering and deciphering techniques are similar to but less constrained mathematically than those proposed for the PKE schemes. The requirement that each communicating pair be supplied with a unique key, creates the desire for an enciphering algorithm that puts less stringent demands on the exact nature of the key. This has lead to hardwired algorithms implemented on individual electronic integrated circuits (chips). The Federal government adopted such an algorithm known as the Data Encription Standard [hereinafter DES ], in 1977.163 The DES chip allows the rapid processing of large volumes of data using any 56-bit random as the symmetric key. It is still in use today, and there have been no reported successful attacks.164 However, fears that the DES chip will eventually be successfully breached have lead to the proposal that it be replaced with an new chip based on a classified algorithm known by the code name SKIPJACK.165 The new chip is referred to as the Clipper Chip and employs an 80-bit random number as a key.166 The National Security Agency See Ford, supra note 12 at 66-71. 162 Id at 70-71. 163 Id at 67, describing the details of the DES algorithm which is publicly known. 164 Id at 70. 165 Id at 71. 166 Id . 161 - 40 - Pinsky/ Digital Signatures has proposed that the Clipper Chip be adopted as the national standard for all secure communications. This has met with considerable opposition because the SKIPJACK algorithm is known to possess a trap-door . The trap-door consists of two independent 80-bit secret keys that will allow the holder to decipher any enciphered message.167 The proposal is to house the trap-door keys with two independent law enforcement escrow agents under strict controls, requiring judicial approval for their authorized use to intercept and decipher a particular message.168 Enumeration of the arguments for and against the Clipper Chip are beyond the scope of this discussion, and bear on it only to the extent that it is a potential symmetric cryptosystem in competition with the PKE systems described here. VI. Conclusions The PKE systems based on the RSA and DSS algorithms are clearly workable alternatives to the symmetric cryptosystems presently in use. They offer significant advantages in authentication of the content of the messages as well as the traditional signature function of signer identification. Their ability to establish a form of rapid communication with remote parties that will allow legally binding transactions to occur, make them unique. However, they do come with a price. The requirement that an infrastructure of certification authorities be established along with the official regulation of those authorities, is a cost that must be included in the evaluation. One can expect other states to follow Utah's lead,169 and establish Digital Signature Acts of their own. The American Bar Associations' Digital Signature Guidelines170 are an excellent starting point for legislators considering the provisions that such an act must include. Id . 168 Id . 169 See U.C.A. 1953 s 46-3, The Utah Digital Signature Act. 170 ABA-DSG supra note 7. 167 - 41 - Pinsky/ Digital Signatures As noted in the various sections of this note, the two do not always agree,171 and the resolution of those areas of alternate approach will likely await the inevitable case law to come. Lawrence S. Pinsky Appendix A. A "Simple" Numerical Example of the RSA PKE Algorithm The following is an example of the RSA PKE algorithm using small "easily calculable" numbers to illustrate the technique. The reader is referred to Part II(B)(3) supra for the discussion of the technique. All numbers will be normal decimals to facilitate there interpretation and allow verification of the calculations with any normal 4-function calculator. Let us take as our "message" the author's initials "LP". As described in Part II(B)(1), in ASCII these letters would be represented by the numbers 76 and 80 respectively. (Capital A begins at 65 in ASCII.) Thus the message is represented in decimal numbers by 7680. Since we want a "simple" example, and since the value of N must exceed the maximum size of the message, let us break the message into 4 pieces: 7, 6, 8, and 0. The largest number we would have to deal with given this message is 8. To choose N we first choose two primes, p and q and then let N = p * q. To keep things manageable, let's pick: p = 3 , and q = 11 . (Both being prime numbers as required.) (A1) N = p * q = 3 * 11 = 33 . (A2) Then: This would then allow messages up to the number 32 to be enciphered with the keys we are about to find. We choose d, the public-key first. To do that we need to calculate: = ( p - 1 ) * ( q - 1 ) = ( 3 - 1 ) * ( 11 - 1 ) = 2 * 10 = 20 . 171 See supra notes 79, 81, 83, 92, 93, 97, 125, 143, and 151. - 42 - (A3) Pinsky/ Digital Signatures Recall that from eqn. (6) supra Part II(B)(3), that d must be relatively prime to (or 20 in this case). If we choose d to be a prime that is not a factor of 20, we will have satisfied that requirement. The prime factors of 20 are: 20 = 2 * 2 * 5 (A4) Since 3 is available, let us choose: d = 3. (A5) Now we must find e. From eqn (8) supra Part II(B)(3), we have: or, e * d = 1 ( mod ( p - 1 ) * ( q - 1 ) ) , (8) e * 3 = 1 ( mod 20 ). (A6) The RSA system uses the following algorithm here to solve for e. We are basically looking for the smallest number that when multiplied by 3 will be 1 more than some integer multiple of 20. This is easily solved by an iteration process. Basically want the smallest integer that solves: e * 3 = n * 20 + 1 . (A7) We are fortunate that the solution here is very easy: e = 7 . ( i.e.. 3 * 7 = 1 * 20 + 1 = 21 ). (A8) Thus we have found both keys. Let us recap the values: N = 33 ; d = 3; e = 7 ; and M1 = 7 , M2 = 6 , M3 = 8 , and M4 = 0 , (A9) We can proceed to encipher the first part of the message according to eqn. (1)supra Part II(B)(3), C = M e ( mod N ); or: (7)7 C = (7)7 ( mod 33 ) . (1) (A10) is a large number, but we require the remainder after dividing 77 into that number. Computers can carry out this part of the calculation with relative ease for very big numbers, but you can verify this calculation on a simple calculator. The result is: - 43 - Pinsky/ Digital Signatures (7)7 = 823,543 , (A11) which when divided by 33 leaves a remainder of 28. (i.e. 823,543 / 33 = 24,955 with a remainder of 28. Thus: C1 = 28 . (A12) This value would be transmitted along with the corresponding values for the other characters as the digital signature. (Here we have not used the analog of a hash function, but have begun the process of encoding the entire message. Upon receipt the message would be reconstructed from the public-key which consists of ( N = 33, and d = 3). From eqn. (2)supra Part II(B)(3), M = C d ( mod N ) , or M = 28 3 ( mod 33 ) . (2) (A13) 28 3 = 21,952 , which when divided by 33 leaves a remainder of 7, (i.e. 21,952 / 33 = 665 with a remainder of 7 ) as required to reconstruct the original message. The other characters encipher as: C2 = (6)7 ( mod 33 ) = 30 ; C3 = (8)7 ( mod 33 ) = 2 ; and C4 = (0)7 ( mod 33 ) = 0 . (A14) Notice that C4 has a problem. The value of 0 gives itself away. To avoid this the actual algorithm would require padding to provide dummy bits to keep from falling into this problem. Actually, any number that after the exponentiation did not "turn over" (i.e. exceed the modulus, and thus be required to "wrap around" at least once), would also require padding. The enciphered message would look like: 28300200. This then would be the digital signature and the public key would be [3, 33]. The scheme is secure so long as an attacker cannot reverse the process in equation 8 to find e. Of course if the attacker can factor 33 to find p and q (i.e. 3 and 11), then he can quickly use the same procedure used here to find e from d, p, and q that was used to find e in the first - 44 - Pinsky/ Digital Signatures place. However, only N is divulged in the public-key, not p and q. When N is a 200 digit number which is the product of 2 large primes, there is no known way to factor it quickly. Even this "simple" numerical example requires some considerable arithmetic. Although easy for computers, the clear effort required illustrates the overhead that the PKE method introduces to the process of communication. - 45 -
