digital signature - university of houstonlpinsky/digital_signature.doc · web viewa digital...

Pinsky/ Digital Signatures

Digital Signatures: A Sign Of The Times

L. Pinsky

I. Introduction

The increasingly ubiquitous presence of computers in our every day lives has reached the

point where their use is presumed in most aspects of virtually every commercial transaction. 1

Even in the non-commercial aspects of every day life, the computer's presence is generally taken

for granted.2 Computers in their present form are a relatively recent incarnation.3 Computers

were originally developed to perform complex mathematical calculations, to store and retrieve

archival record data through the use of search engines, and to control immediately attached

devices, such as those used in manufacturing and scientific experiments.4 The vast array of

computer networks that are now in existence were largely unpredicted in the early days of

computer use. They only became reasonable with the evolution of the technology well after the

computer age had begun.5 This new technology allows one to Control the actions of a physically

remote computer from a local computer, and further, with the ability of computers to

communicate with each other in a seamless manner, the operational delineation of the borders of

1 Larry Long and Nancy Long, COMPUTERS, 1-3 (3rd Ed.,1993) [Hereinafter Long & Long ].2 Id .3 Id. at 34-40, outlining the history of computing and pointing out that the first modern electronic digital computer was invented by Dr. John V. Atanasoff in 1939. The courts have also recognized Dr. Atanasoff. See Honeywell Inc. v. Sperry Rand Corp.,1973 WL 903 (D.Minn.), and Iowa State University State Research Foundation, Inc. v. Honeywell, Inc., v. Sperry Rand Corp., 459 F.2d 447 (8th Cir. 1972).4 Id . Long and Long at 10-11, 18.5 Id . at 200.

- 1 -


one's own machine has become somewhat arbitrary. That is, the technology has reached the

point where the existence of network operating systems allows the blurring of the hardware into

"virtual machines", a continually variable collection of components located worldwide, which

appear to the user as if they were simple local intimate components of the hardware at her

fingertips.6 This computer-to-computer communication capability has raised the legal issue of

authenticity of documents which are entirely generated, transmitted, and received, within the

electronic realm, where no other tangible form of the documents ever exists. This paper will

address digital signatures ,7 one of the techniques developed to deal with the authenticity of the

source and content of documents transmitted electronically between computers, and the at the

same time, with the legal requirement for signatures and signed writings. It should be pointed

out that the law has faced a similar issue in the past. The advent of the telegraph, and its wide

use in commerce presented many of the same questions that purely electronic transactions do.8

However, the inclusion of the commercial telegraph operator as a potential trusted third party

intermediary, breaks the symmetry sufficiently to prevent a simple transference of the

principles.9

Part II presents an overview of the actual technique itself, and with its first full fledged

statutory implementation in Utah. Utah is the only state so far to enact the legislation necessary

to provide the legal infrastructure to allow digital signatures to legally authenticate documents.

There is no reported case law at the present time, thus all of the all of the discussion is

6 Id . at 265-66.7 See generally Alan Asay, Introduction to the Law and Technology of Digital Signatures , excerpted from DIGITAL SIGNATURE GUIDELINES, (ABA Section of Science and Technology, 1995) [Hereinafter ABA-DSG referring to the actual guidelines themselves].8 See John R. Thomas, Legal Responses to Commercial Transactions Employing Novel Communications Media , 90 Mich. L. Rev. 1145, 1150-52 (1992) [Hereinafter Thomas ], reviewing the law's adaptation to the use of telegraphy in commercial transactions.9 Id . at 1152.

- 2 -


necessarily anticipatory at this stage. Part III discusses the need for and potential applications of

digital signatures including the abilities to provide both factual authentication and legal

commitment. Part IV follows with a brief consideration of some of the potential problems that

must be dealt with if their use is to become widespread, with an assessment of the costs

involved, and finally, Part V considers the alternatives to the use of the proposed digital

signature scheme.

II. What are digital signatures

A. What do they do?

The term digital signature generally applies to the technique of appending a string of

characters to an electronic message that serves to identify the sender (the authentication

function).10 Some digital signature techniques also serve to provide a check against any

alteration of the text of the message after the digital signature was appended (the seal function).

Early concerns in computer science were focused on the problem of the recipient being able to

insure that the message received was genuine and unaltered. However, there was no reason to

consider the potential legal problem of also being required to prove at a later time that the

intended recipient did not himself alter the message for use as bogus evidence. This later

capability (the integrity function) is clearly of great interest in the case where legal documents

are to be created with the use of such digital signatures. Finally, there is the aspect of privacy

(the confidentiality function) that is of significance in many instances where the sender wishes to

keep the contents of the message secret from all but the intended recipient.

10 See R. L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems , 21:2 COMMUNICATIONS OF THE ACM [Ass'n. for Computing Machinery] 120, 121 (1978) [Hereinafter Rivest, et. al. ] describing the various functions that digital signatures can accomplish.

- 3 -


The technique that has increasingly become the standard11 is one based on a Public Key

Encryption [Hereinafter PKE] scheme.12 The PKE technique is based on an asymmetric pair of

mutually inverse mathematical operations. The essential idea is that when a particular

mathematical operation has a generally simple computation algorithm but simultaneously has a

much more complex inverse process, by taking the number of digits involved up into the 100's,

one can know both the process and the result, but still not be able to work backwards to the

11 See A Proposed Federal Information Processing Standard [Hereinafter FIPS] for Digital Signature Standard [Hereinafter DSS], National Institute of Standards and Technology [Hereinafter NIST], 56 FED. REG. 42980-2 (1991), proposing the adoption of a specific Public-Key based digital signature algorithm [Hereinafter DSA].12 This technique was first proposed by Whitfield Diffie and Martin Hellman, New Directions in Cryptography , 22:6 IEEE TRANSACTIONS ON INFORMATION THEORY 644 (1976) [Hereinafter Diffie & Hellman ], suggesting the use of the asymmetry in calculating logarithms compared with the inverse process of exponentiation as a basis for a PKE technique for one-way authentication. See also , Rivest et. al., supra note 10, providing an elegant formulation and proof of the suggestions of Diffie & Hellman, supra , and introducing the concept of a reversible public-key cryptosystem, adding the possibility of privacy to authentication, and T. ElGamal, A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms , 31:4 IEEE TRANSACTIONS ON INFORMATION THEORY 469 (1985) [Hereinafter ElGamal] refining the Diffie & Hellman technique for an irreversible PKE system. More recent treatises include: Zella Ruthberg and Hal Tipton, eds., The Handbook of Information Security Management (1993), collecting a series of articles on all aspects of information security including digital signature authentication techniques; and as references for the actual algorithms W. Ford, COMPUTER COMMUNICATIONS SECURITY PRINCIPALS, STANDARD PROTOCOLS & TECHNIQUES, (1994) [Hereinafter Ford ]; and M.Baum, FEDERAL CERTIFICATION AUTHORITY LIABILITY AND PRODUCT LAW: LAW POLICY OF CERTIFICATE-BASED PUBLIC KEY AND DIGITAL SIGNATURES (1994) [Hereinafter Baum ]. See also , Mitchell, Piper & Wild, Digital Signatures in CONTEMPORARY CRYPTOLOGY: THE SCIENCE OF INFORMATION INTEGRITY 325, 341-46 (Simmons, ed. 1991) [Hereinafter Mitchell, et. al. ], discussing generally the desirable features of digital signatures, and Dennis Longley, Ed Dawson and William Caelli, Applications and Theory of Cryptography in INFORMATION SECURITY HANDBOOK 317-454 (Caelli, Longley, & Shain, eds. 1991) [Hereinafter Longley, et. al. ].

- 4 -


initial state.13 This property, as will be described in section B, infra , allows the construction of a

PKE scheme whereby the author can encode his message with a Private-Key14, and then transmit

the encoded message publicly along with a separate corresponding Public-Key,15 which must be

externally attributable to the author. Then, with the encrypted message and only the Public-Key,

the message can be decoded. The contents of the message are then verified as to content, and to

the extent that the Public-Key is attributable to the author, the source is authenticated as well.

Note that in this mode of operation, the authentication, seal, and integrity functions are satisfied,

but the contents of the message are not confidential. Any person with access to the encrypted

message and only the Public-Key may successfully decode the message. The salient feature,

however, is that even with that information, no receiving party can reasonably calculate the form

of the Private-Key. Thus, additional messages cannot be forged. It is worth emphasizing again

that the entire authentication of the identity of the author, rests on the certainty with which one is

able to associate the Public-Key with a particular author. There are two other somewhat less

problematic assumptions that must also hold The Private-Key, of course, must be kept secure,

and the more complex side of the asymmetric mathematical inverse operation must not yield to a

simple algorithm.

It is possible to use the PKE method to send encrypted messages that do satisfy the

confidentiality function as well as the authentication, seal, and integrity functions.16 To do that

however, both parties must employ the technique and the demands on the PKE algorithm are

more stringent. The first party sends a second public key as part of his initial message, which

the second party then uses to encrypt the return private message. That message must also be

"signed" by the second party using his own set of keys to authenticate that message. To allow

13 Id . Diffie & Hellman at 647-48.14 Simply a suitably chosen number as described in Part II (A) infra .15 Id . The Public-Key and Private-Key are a particular related pair.16 See Rivest, et. al., supra note 10 at 121.

- 5 -


this privacy technique, the mathematical properties of the encoding and decoding operations

must be successive permutations of the same general process.17 That is, the sequence of

application of private and public keys must be permutable.

The use of PKE was first introduced by Whitfield Diffie and Martin Hellman in 1976.18

Their algorithm was of the irreversible type which cannot be used for messages requiring

confidentiality because it is not permutable.19 ElGamal offered an improved version of the

Diffie and Hellman scheme in 1985, and that method has become the basis for the Digital

Signature Standard [hereinafter DSS ] presently proposed by the National Institute of Standards

and Technology [hereinafter NIST ], (formerly the National Bureau of Standards).20 In 1978

Rivest, Shamir, and Adleman [hereinafter RSA] introduced a permutable PKE scheme which is

thus reversible and as such can be used for both the authentication and privacy functions as

described above.21 At present, the DSS and RSA schemes are in competition, and will likely

remain so for some time to come.22

B. How do they work?

1) Computers, Numbers, and Prime Numbers

17 Id .18 Diffie & Hellman, supra note 12.19 See Ford supra note 12 at 71-73.20 See 56 FED. REG. 42980-2 (1991), supra note 12, and ElGamal supra note 12. Note that the ElGamal scheme included a mechanism to allow confidentiality, that aspect has not been incorporated into the DSS (Ford, supra note 12 at 75).21 Rivest, et. al., supra note 12 at 121.22 Ford note 12 supra at 83.

- 6 -


Digital Computers use binary number arithmetic at their most fundamental level of

operation. This is basically because the elementary electronic circuitry used to represent and

remember the numbers is by its nature 2-state. One state is used to represent the digit zero, and

the other represents the digit 1. Each place in a binary number is referred to as a “bit”. Because

10 is not an integer power of 2, computers must convert decimal numbers into binary and vice

versa when decimal representations are needed to communicate with humans. The

transformations between decimal and binary are somewhat involved and thus present a slight

impediment to efficiency. However, binary numbers may easily be represented in any number

base that is an integer power of 2. Octal (base-8) and Hexadecimal (base-16) are the two most

common representations encountered. Digital signatures as appended to messages typically

employ hexadecimal representations for the body of the signature, which as will be described

shortly, is essentially just a number.

Briefly, to represent a number in hexadecimal, one requires 16 digits instead of the usual

10 employed in the decimal system. The digits 0 through 9 are used with their normal meaning

and the letters A through F are added to the end to represent the digits whose decimal values are

10 through 15. So A represents the value 1010 (i.e. Where the subscript “10” implies the decimal

interpretation of the digits value), B represents 1110, etc. with F being 1510. Thus in

hexadecimal the digits 1016 represent the value 1610, 1F is 3110, and FF is 25510. Typically, the

subscript “16“ is not used when the digits include letters. An alternate way to indicate

hexadecimal numbers is to place the letter “H” in front of the number (e.g. HFF = FF 16 ). Each

hexadecimal digit represents a sequence of exactly 4 binary bits. Computer memory is typically

divided into 8-bit segments called bytes. Thus each byte can be exactly represented by a 2-digit

hexadecimal number, which is one reason for the popularity of hexadecimal representations

among computer scientists. It is important to remember, however, that the fundamental

properties of numbers are independent of their representation. That is, for example, the number

1710 is a prime number regardless of whether it is written in binary (100012), in octal (218), or in

- 7 -


hexadecimal (1116), and the actual value which results from all numerical computations such as

addition, subtraction, multiplication, and division are independent of representation of the

numbers.

Since all numbers in the computer are integers, special techniques have to be employed

to represent fractions and real numbers. Those need not concern us, because all of the

techniques employed in the digital signature algorithms deal exclusively with the numbers as

integers. Therefore, in the discussion that follows, all numbers will be treated as integers. In

fact, the most common representation of textual characters, ASCII (pronounced ass-key two),

uses a single byte for each character. For example, in the ASCII scheme the character “A” is

4116 (6510), the character “a” is 6116 (9710), and the “space” character is 2016 (3210). A total of

256 characters are possible. This is the default for each typical computer font used by word

processors as well. Thus any string of text characters is already represented internally as a string

of numerical digits, and can be manipulated directly as if they were numbers. The PKE scheme

simply takes a text message and treats it as if it were such a number. In the following

discussion, then, the “message” will simply be represented as a number consisting of a sequential

string of hexadecimal digits.

2) Prime Numbers, Logarithms, and Some Basic Number Theory

Prime numbers have fascinated mathematicians since the recorded beginnings of

philosophy.23 Prime numbers are simply numbers (integers) that are not evenly divisible by any

number but themselves and one. That is whenever they are divided by any smaller integer

(except of course the integer 1), there is always a remainder. Numbers that are not prime are

called composite because they can be represented by a unique combination of the product of

23 See generally Tom Apostol, INTRODUCTION TO ANALYTIC NUMBER THEORY 1-12 (1976) [Hereinafter Apostol ].

- 8 -


primes (which are called the prime factors of that composite number).24 Euclid gave an elegant

proof that the number of primes is infinite.25 This defies the naive impression that as one gets to

bigger and bigger numbers, the increasing availability of smaller candidate divisors must surely

tend towards providing at least one that will evenly divide the number in question. In fact the

frequency of primes does thin out. In the limit as one goes to very large numbers, the total

number of primes less than some value, x, approaches x/log x.26 There is no known general

formula which will discover all primes below some specified value,27 but there are many famous

formulae for generating various sequences of primes.28 There is however no general way to find

the ones that have been missed in between those that are generated by the various formulae. 29

The gaps between primes are also erratic. All primes > 2 are necessarily odd numbers, and it

appears as though there may be an infinite number of "twin primes" (adjacent odd numbers such

as 101 & 103), but at the same time, there are long stretches with no primes (e.g. the prime

number 370,261 is followed by 111 consecutive composite numbers).30 It is known that

arbitrarily large gaps between successive primes must eventually occur as the size of the

numbers increase.31 These properties of primes are important for the asymmetry property of

24 Id . at 16.25 Id . at 16-17. Suppose that there are only a finite number of primes: p1, p2,...,pn. Let N = 1+p1p2...pn. It can be easily shown that if a number is not prime then it can be represented as the unique product of a combination of primes. Since N is > pn it cannot be prime given our assumption. Since none of the pi's divides evenly into N, the assumption must be false and it must be prime, because it cannot be represented as the product of primes. Thus, the number of primes must be infinite.26 Id . at 8.27 Id . at 6.28 Id . at 6-12. See also Rivest, et. al., supra note 10, describing an efficient algorithm for finding random large (> 200 digit) prime numbers.29 Id . at 6.30 Id .31 Id .

- 9 -


most of the PKE techniques. It is especially important to note that there is no efficient algorithm

to factor a large composite number into its prime factors.32

Composite numbers can be relative primes to other numbers if the greatest common

divisor is 1.33 That is they share no common prime factors. For example, 21 is relatively prime

to 55, but 15 is not relatively prime to either. 21 has prime factors 3 and 7, whereas 55 has

prime factors 5 and 11, and none are shared. On the other hand 15 has prime factors 3 and 5,

sharing the 3 with 21, and the 5 with 55, making it not relatively prime to either. Notice that 15

does not evenly divide either 21 or 55. That property is in fact necessary for relative primes, but

as we see here, it is not sufficient to establish that two numbers are relative primes.

The final concept that must be mentioned is modular arithmetic. With modular

arithmetic, the modulus simply specifies the total size of the applicable cyclic number field.34

That is when counting in modular arithmetic, one counts from 0 up to the modulus minus one,

then recycles to 0 again. Thus counting modulo 5 for example, would look like: 0, 1, 2, 3, 4, 0,

1, 2, 3, 4, 0, 1, etc. So, the number 6 modulo 5 (which is written 6 (mod 5) ) means counting to

6 up from 0 (with the recycle at 4) yielding: 0, 1, 2, 3, 4, 0, 1. It follows then that the number 6

(mod 5) = 1.35 It is equivalent to say that to find the value of 6 (mod 5), one divides the

32 See e.g. Rivest, et. al., supra note 10 at 125-26, pointing out that the most efficient known factoring routine would require over 1023 operations for a 200 digit number, and Longley et. al. supra note 12 at 428, evaluating the allied problem of finding discrete logarithms.33 See generally Apostol ,supra note 21 at 14-21.34 See e.g. Longley, supra note 12 at 439-42.35 An alternative way to view modular arithmetic is related to the concept of the congruence of a number with respect to a particular divisor or modulus . (See generally H. Davenport, THE HIGHER ARITHMETIC 41-50 (1992) ). When a number is referred to modulo some other number, what is meant is that the number in question (the dividend) is divided by the modulus and the remainder is the object of interest. For example this would be written as: 2 = 10 (mod 4), which states that the remainder is 2 after the number in question (10 in this case) is divided by the

- 10 -


modulus (5 in this case) into the number (6 in this case, which may be termed the dividend) and

the value sought is the remainder resulting from the division. Here, we are particularly un

interested in the integer value of the quotient, and only concerned with the remainder. (5 divides

6 one time with a remainder of 1, so again we have 6 (mod 5) = 1). As a final note, observe that

the size of the resulting remainder is never equal to or greater than the modulus, regardless of the

size of the dividend to which it is applied. This is clear from the cyclic counting view of

modular arithmetic.

3) The RSA Scheme

The discussion here will be presented without proof. The interested reader is directed to

the original paper of Rivest, et. al.36 (A simple numerical example is included in Appendix A).

The basic operation behind the RSA scheme is the use of a key (a specially chosen number) as

an exponent to be applied to the number, which represents the message (recall that all numbers

referred to here are discrete integers). The message in its initial (numerical) state is termed the

plaintext . The number resulting from the enciphering is called the ciphertext .37 The ciphertext

number in the RSA method is the remainder modulo some other number (which is also needed

as part of the key). This can be written as:

modulus (4 in this case). When the remainder is 0, the numbers are said to be congruent. Still another way to view the statement is to say that the difference between the two numbers is evenly divisible by the modulus, or more to the point for digital signatures, a modulus of any 2 numbers is a number that when it divides them each in turn will give the same remainder. That is 10 minus 2 is evenly divisible by 4, and both 10 and 2 when divided by 4 leave similar remainders of 2. The mathematical schemes used in digital signatures use these concepts.36 Rivest , et. al., supra note 10.37 Id . at 120. Note that the terms encipher and decipher are preferred to encrypt and decrypt because of the confusion in translation into many other languages of the words encrypt and decrypt as being related to the burying in the ground and the subsequent act of digging it up (Ford supra note 12 at 65).

- 11 -


C = M e ( mod N ); (1)

where M is the plaintext message number and C is the resulting ciphertext form of that message.

The numbers e and N taken together are the private key. There exists another number, d, which

has the property that:

M = C d ( mod N ). (2)

The number d along with N is the public key that can be used to decipher the ciphertext C, to

recreate the original plaintext message, M. Recall that the " ( mod N ) " means that the dividend

( M e in equation 1, and C d in equation 2) is divided by N and the result is the remainder after

that division. Were we not to take these modulated values, there would be a trivial inverse

property:

M = ( M e ) d ; (3)

by simply substituting equation 2 into equation 1. However in order for the inverse to hold:

M = ( M e ) d ( mod N ); (4)

e and d must be specially selected with respect to N. Further, for the confidentiality function to

be implementable, the process must be permutable. That is e and d may be applied in either

order:

M = ( M e ) d ( mod N ) = ( M d ) e ( mod N ). (5)

- 12 -


Rivest, et. al., showed that this is satisfied if the following conditions are met:38

a) N = p * q (where p and q are prime); (6)

b) d is relatively prime to f = ( p - 1) * ( q - 1 );39 and (7)

c) e * d = 1 ( mod ( p - 1 ) * ( q - 1 ) ). (8)

They further demonstrated that one can easily proceed to construct these numbers by first

choosing two large primes, p and q, to determine N.40 The number of digits in N needs to be

large enough to defeat attempts by persons seeking to find the private keys by factoring N.

Recall that N itself will be disclosed along with e as part of the public key. Also, since the

plaintext and ciphertext will be limited to a length less than N, a large enough value must be

chosen to reduce the number of segments into which the total message to be encrypted must be

broken. next, d is easily selected as it need only be relatively prime to (p-1) times (q-1).

Finally, the expression given by equation 8 can be used to find the corresponding value of e

using a fairly simple algorithm.41

Then to use the RSA scheme, one proceeds to choose suitable values for p, q, and d,

calculating the appropriate value of e from them. p, q, and e must be kept secret. However, N

(which is simply p*q ) and d are published together as the public key. Should an "attacker"

attempt to find e from N and d, she would have 2 straight forward methods. First she could

38 Id . at 123.39 f is known as the Euler totient function (of N in this case), which is defined as the number of even numbers less than N that are relatively prime to N. See Apostol, supra note 23 at 25.40 Id , at 123-24, noting that several algorithms exist for quickly finding primes with hundreds of digits.41 Id . at 123.

- 13 -


exhaustively try to find the value by trial and error. (i.e. Find the value of e which made

equation 5 true for the known d and N). This is the least practical approach. 42 The other option

is to factor N to find p and q. Were that to succeed, then the attacker could reproduce the

original calculation which the author used to find e in the first place. Thus, the method relies on

the great difficulty that the problem of factoring large numbers which are the product of 2

primes presents. So long as this problem does not yield to a simple rapid algorithm, the attacker

is foiled.43

4) The DSS Scheme

The DSS scheme introduced by ElGamal is similar in concept, but uses the difficulty in

computing discrete logarithms rather than the difficulty in factoring large numbers.44 In this

scheme the sender selects three numbers, p, q, and g, which taken together become the public

key. p must be a prime (between 512 and 1024 bits in the proposed standard), q is a prime

divisor of p-1 (specified as having 160 bits in the proposed standard). g is calculated from p and

q in a specified manner.45 The user then selects the private key, e, randomly, computing the

public key, d, from the expression:

d = g e ( mod p). (9)

The security in this method (which is not permutable, and therefore does not directly provide the

confidentiality function) is in the asymmetry in the difficulty of computing e, knowing only d

42 Id . at 125.43 Id .44 ElGamal, supra note 12.45 g = j |(p-1)/q| (mod p), where j is a random number less than p which satisfies: j |(p-1)/q| (mod p) > 1.

- 14 -


and p. That process is known as taking a discrete logarithm and is comparable in difficulty to

the factoring problem.46 The keys are used somewhat differently in the DSS scheme than in the

RSA scheme. Here, two "signatures", r and s, are appended to the plaintext message:

r = ( g k (mod p) ) ( mod q ); (10)

s = ( k-1 * (H + e*r) ) ( mod q ); (11)

where p, q, and g, are included in the public-key. k is any random number less than q, and k-1 is

given by: k * k-1 ( mod q ) = 1. H is the hashed digest of the message. The hashed digest is

discussed in section 5, infra . Conceptually one can think of the digest as a short form of the

message, M. Upon receipt, the signatures are verified using the public-key numbers: p, q, g, and

d. Their successful use serves to authenticate the origin of the message as being the same as the

origin of the public keys. First the hashed digest is recalculated from the plaintext message as

received, and it is used along with the public-keys and the received value for s to compute a new

value, v,47 which must be exactly equal to the value for r as received to establish the validity of

the message. The successful use of the hashed digest in calculating v provides both the seal

function and the integrity function, as it is not possible for the recipient (or any intercepting

party) to change the message in any way and preserve the equality of v and r without knowing

the private key, e.

46 Ford, supra note 12 at 81-84.47 For those who may be interested, v = ((gu1 * du2 (mod p) ) ( mod q ), where:u1 = (H' * w) (mod q); u2 = (r' * w) (mod q); and w = (s')-1 (mod q). H' is the recalculated hashed digest and r' and s' are the received values of r and s. Id . at 81-83/

- 15 -


The DSS scheme requires considerably more effort on the deciphering end as compared

to the enciphering operation. By comparison the RSA technique is more balanced at each end.48

Further, as noted supra 49 the DSS scheme as proposed, does not provide the confidentiality

function whereas the RSA scheme is easily employed to provide all four functions.50

4) Hashing and Digests

Hashing refers to the process of creating a string of characters known as a digest by a

mapping from the full plaintext message.51 The algorithm used to form the digest from a

particular plaintext message is typically designed with the seal function in mind. That is if any

character in the plaintext message is changed then the digest will change also. It is likewise

essential that each individual plaintext message result in a single unique digest. Finally, it is

sometimes useful if the plaintext message cannot be feasibly reconstructed from the digest. 52

The digest generated for use with digital signatures is typically of a fixed length which is chosen

to be small enough to be comfortably enciphered as the message surrogate in the construction of

the actual digital signature with the private-key. This allows very large plaintext messages to be

represented in the digital signature formation by a string of known and suitably short length.

This is the principle motivation for using hashing. Since the PKE schemes require that the

message lengths be smaller in character length than the modulus used, and the calculation times

go up as the modulus size is increased, enciphering entire large messages in one operation is

48 Id . at 83.49 See supra note 43 and accompanying text.50 See supra note 35 and accompanying text. The four functions are: authentication; seal; integrity; and confidentiality. See supra note 12 and accompanying text.51 Ford, supra note 12 at 75-77.52 See e.g. Article 1.10, Hash Function in ABA-DSG supra note 7.

- 16 -


impractical. Even when the large message is broken into a sequence of smaller segments the

total time required to encipher and decipher the message may be prohibitive.53

To function on the receiving end of a message, the hashing algorithm must be known to

the recipient. It is then applied to the full plaintext part of the received message. The resulting

digest is then used to verify the digital signature. Even the change of a single bit in the digest

will result in a failure to verify the signature.54 Note that when used in this fashion, the plaintext

is sent as part of the body of the message and the confidentiality function is forfeited.

One common technique to assemble digests is called the cyclic redundancy check

[hereinafter CRC ]. A CRC samples bits horizontally according to some repetitive scheme

across the characters in the plaintext message field. For example the simple parity of the sum of

all of the corresponding bits from character to character through the message might be written

into a single bit in the digest. (e.g. take the sum of all the least significant bits from every

character in the full plaintext message. If the resulting sum is even, the first bit in the digest will

be set to 0, if it is odd then that bit is set to 1. Other characters in the digest can be calculated

using modular arithmetic, and by zig-zagging through the bits from the plaintext characters

according to some particular scheme. The resulting digest can be constructed so as to provide

that even a change in a single bit in the plaintext will necessarily change at least one bit in the

digest, and no reasonable conspiracy of multiple changes will result in the fluke reconstruction

of the original digest. Thus when the digest is enciphered as the message surrogate in the PKE

digital signature, the seal function is provided. Any corruption in the plaintext message will

result in the calculation of a digest which will differ from the one obtained from the deciphering

of the digital signature with the public-key.55 At present the design of good hash functions has

53 Ford, supra note 12 at 79-80.54 Id. at 75-77.55 Id .

- 17 -


proved somewhat problematic, but there are some which are presently in widespread use, and so

far appear to be credible.56

C. What are the Disadvantages and Vulnerabilities of the PKE Schemes

The primary disadvantage of the PKE schemes when compared with some of the

alternatives is the computational complexity and the attendant calculational time required. For

short cryptic messages, the time overhead is small, but for large messages where confidentiality

is required, the enciphering and deciphering times can become considerable.57 Another non-

negligible consideration is the communications overhead. The fact that the length of the

messages can be significantly increased by the addition of the signature appendices, again

especially when confidentiality is required in a long message, impacts the total volume of traffic

on the computer networks.58 Both of these factors can be represented as an economic cost in

terms of the increased quantity of resources required to proceed using PKE digital signatures as

compared with the alternatives.

As pointed out initially59 the authentication function of PKE techniques are only as

reliable as the ability to associate the public key with the author. Much of the discussion of the

legal and statutory infrastructure needed to implement digital signatures revolves around this

issue.60 The essence of the utility of the PKE schemes is the ability to execute legal transactions

remotely between parties without the requirement that they exchange anything other than by

purely electronic means. Adding a requirement that they physically exchange some article to

56 Id . at 84, and Mitchell, et. al. supra note 12 at 325.57 Ford, supra note 12 at 79.58 Id .59 See supra note 13 , and accompanying text.60 See infra Part 4(A).

- 18 -


establish authenticity, would defeat the essential advantage that PKE schemes have over all other

present alternatives. There is no presently known method to establish absolute authenticity

arbitrarily by strictly electronic means. All present solutions require the establishment of some

type of certification authority, which acts as a repository for public-keys and vouches for the

relationship between a particular public-key and its supplier.61 Any method which defeats that

association, defeats all 4 functions provided by the PKE technique.62

All proposed PKE techniques rely on a mathematical asymmetry in the difficulty

between a particular process and its inverse. The discovery of an algorithm for the difficult side

of the process allows the calculation of the private key from the public key, and with it the

defeat of all 4 functions. At present, the processes chosen show no signs of yielding, 63 but one

must be eternally vigilant to the possibility.

Finally, there is the problem of physical security. The private key must be safeguarded.

Should the private key come into the possession of one other than the proper owner, then of

course that person could send messages purporting to come from the proper owner. This is a

significant problem, since private-keys are necessarily loaded into computers at some point in

the enciphering process. The unauthorized access to a machine containing a private-key carries

with it the threat that the private-key will be compromised. This can occur in subtle ways. For

example, in addition to the direct method of simply downloading the value to the attackers

computer, an attacker may gain enough information about the nature of the private key to allow

dramatic short-cuts to be taken in external attempts to calculate the private-key. For example, it

was recently reported64 that by observing the precise times that a particular CPU takes to run a

61 See Longley supra note 12 at 345-348.62 Id .63 See notes 41 and 43 and the accompanying text.

- 19 -


known deciphering algorithm with known messages and a particular private-key,65 one can

reduce the problem of calculating the value of that private-key from the known public-key to a

one which requires only a few minutes. While a simple fix has been implemented to thwart this

potential attack,66 even in the remote cases where it is possible to make such observations, it

serves to illustrate the potential for compromise in subtle ways.

III. Why do we need digital signatures?

A. Authentication

Perhaps the prime function for digital signatures is to provide the same significance that

conventional handwritten signatures connote. These can be broken into 4 categories: evidence ,

approval , ceremony , and efficiency .67 All of these functions concern the issue of

authentication. The evidence function refers to the ability to determine the identity of the signer

of the document.68 It makes the document attributable to the signer. Approval is the function

that indicates the signer's intention that the document have legal effect.69 The ceremonial

64 John Markoff, Secure Digital Transactions Just Got a Little Less Secure , N.Y. TIMES (National ed.), Dec. 11, 1995, at A1, C4. reporting on the work of Paul C. Kocher.65 Id . In this case the public-key is being used in an RSA scheme to encipher known messages sent back to the key owner, who is then observed (measuring the CPU execution time required) while she uses her private-key to decipher those messages within her own computer.66 Id. at C4.67 ABA-DSG supra note 7 at 4. See also Joseph M. Perillo, The Statute of Frauds in the Light of the Functions and Dysfunctions of Form , 43 FORDHAM L. REV. 39, 48-64 (1974) [Hereinafter Perillo ].68 RESTATEMENT(SECOND) OF CONTRACTS, statutory note preceding § 110 (1982). See also Lon L. Fuller, Consideration and Form , 41 COLUMBIA L. REV. 799, 800 (1941) [Hereinafter Fuller ].69 Uniform Commercial Code § 3-204.

- 20 -


function is sometimes referred to as the cautionary function.70 By this it is meant that the

solemnity of signing draws the signer's attention to the significance of the proceeding. Finally,

the efficiency function refers to the significance that the presence of the signature on that

document has for general viewers. For example the signature of the CEO of a corporation on a

memo, might lessen the tendency of the employees to inquire or question the content. This

function has been likened to the symbols of authentication on currency. 71 In order to allow

commercial and legal transactions to occur over electronic networks, these traditional functions

must be provided by some mechanism. As described in the part II(A)(2), supra , digital

signatures are capable of providing such a mechanism along with additional benefits that

conventional handwritten signatures cannot. Each of these capabilities will be considered in

turn.

1. Identifying the Signer

If a signature of any sort is to be of use, it must be attributable to the person who affixed

it. The detection of forgeries of conventional handwriting is itself quite problematic.72 Digital

signatures provide a considerably greater reliability for identification of the possessor of the

private-key as the signer of a particular message than does a conventional signature on a paper

document.73 The difficulty comes when one wishes to associate the holder of a particular

private-key with an individual person. This cannot be done electronically, but "must be made by

70 Perillo, supra note 65 at 53-56, and Fuller, note 66 supra at 800.71 See Perillo, supra note 65 at 50-53, and Fuller, supra note 66 at 801-0272 See e.g. U.S. v. Starzecpyzel, 880 F. Supp. 1027, 1047 (S.D.N.Y. 1995), concluding that forensic document examination is not a science, but a skill like that possessed by an experienced artisan. The testimony of such experts may be useful to the trier of fact, but cannot be presented as scientifically based.73 ABA-DSG supra note 7 at 7.

- 21 -


people using the fact-finding capabilities of their senses."74 In practice that association involves

considerable effort. If the signer and the recipient must physically meet to authenticate the key

association, the whole point of using electronic communication is defeated. An alternative is to

resort to a trusted third party to shoulder the burden of verification of the identity of the key

holder, and then to certify that information to the recipient. Such a third party is known as a

certification authority [hereinafter CA ].75

The need for a CA naturally leads to the issue of certifying the CA itself. This then

conjures up the image of a hierarchy of CAs, each of which must be consulted in turn to verify

the authenticity of the previous authority consulted. Practically, that means that the message that

the first CA sends to verify the value of the original signer's public-key, must itself be digitally

signed. The public-key for that digital signature is supplied by the next level CA, which of

course must be digitally signed, and so on. Clearly, at some point it must end. Statutory

provisions have been adopted in Utah76 in the Utah Digital Signatures Act [hereinafter Utah-

DSA ], and are embodied in the Digital Signature Guidelines being drafted as model legislation

by the Information Security Committee of the Section of Science and Technology of the

American Bar Association [hereinafter ABA-DSG ]77 Both of these schemes provide for the

licensing of private CAs including their responsibilities78 and liabilities,79 and for the

establishment of a government CA to certify licensed CAs.80 Note that under the Utah-DSA CAs

74 Id. at 11.75 Id . See also Longley, et. al., supra note 12 at 345. and Ford, supra note 12 at 93-97.76 U.C.A. 1953 s 46-3, Utah Digital Signature Act .77 ABA-DSG note 7 supra .78 U.C.A. 1953 s 46-3-202, -207, and 304, -307, and ABA-DSG note 7 supra at Art. 3.79 U.C.A. 1953 s 46-3-308, and ABA-DSG supra note 7 at 3.16.80 U.C.A. 1953 s 46-3-501, and ABA-DSG supra note 7 at 3.7, noting in comment 3.7.2 that a CA's certificate must be conveniently available for reference in a trustworthy manner, falling short of Utah's absolute requirement for licensed CA's certificates to be available from a government CA.

- 22 -


are not required to be licensed, but the compliance with the licensing provisions affords a limit

to liability, and an exemption from punitive damages.81

The establishment of a hierarchy of CAs cannot, however, overcome the initial problem

that the first CA has in determining the identity of the individual wishing to be certified

(generally termed the subscriber ). At some point, either a physical identification must occur, or

a remote investigation by the CA sufficiently convinces them that the identity of the subscriber

has been established to the required level of confidence.82 The issue of CA liability is considered

in part IV(C) infra . The actual information available from the CA is called a certificate , and

consists of a message which includes: 1) the identity of the CA; 2) the name of the subscriber;

3) the subscriber's public key; and 4) the digital signature of the CA issuing the certificate. 83

The use of such a certificate by the recipient of a message, thus allows the verification of the

association of the party holding the private key with the subscriber named. Again this

association is limited by the presumption that someone other than the subscriber has not come

into possession of the private-key, either by some form of misappropriation or by a successful

attack on the enciphering algorithm.

81 U.C.A. s 46-3-201(5)(b).82 ABA-DSG supra note 7 at 11. The level of confidence is a question of fact related to the objective reasonableness standard applied in the case of a tort action predicated upon a loss proximately caused by reliance on that certificate (i.e. where it turns out not to be from the subscriber purported), ABA-DSG supra note 7 at §§ 3.16 and 5.3, and U.C.A. 1953 s 46-3-301, 304, 308.83 ABA-DSG supra note 7 at § 1.4, and U.C.A. 1953 s 46-3-104, requiring in addition: a description of the algorithms used; a unique serial number to that certificate; the date and time the certificate was issued and the date and time on which it takes effect; the expiration date of the certificate; and the recommended monetary reliance limit for any transactions to be based on the use of that certificate.

- 23 -


Related to the function of CAs, are collateral entities known as repositories .84 These are

certificate databases which are maintained on line for general access purposes. It is most likely

that CAs may simultaneously operate their own repository service, but the functions of issuing

the certificate and maintaining the on-line database are two separate and distinguishable

endeavors that carry their own particular duties and liabilities.85 Further, large generally

accessible repositories may be set up, accepting certificates from many different CAs. Such

repositories might improve the general access to certificates by insuring a higher and more

uniform quality of service.

2. Verification of Content

One of the strengths of the digital signature technique is the ability to provide the seal

function. Through the use of hashing, or by enciphering the entire plaintext message, the

verification of the digital signature carries with it the verification that the contents of the

message are unchanged from the version that was signed with the private-key. Note that this

verification is two-way. The recipient is assured that the message was not intercepted enroute

and modified. Furthermore, because the recipient can only access the public-key, he cannot

modify the message either. Thus, if subsequently called upon to produce a copy of the message

that he received, the verification of the digital signature at that time would again confirm that the

message had not been tampered with by any party. This differs from the so-called symmetric

encryption schemes discussed in Part V, infra , where the recipient can verify the non-alteration

of the message in transit, but the possession of the symmetric key allows him to modify the

contents upon receipt and reconstitute the seal, creating a message that appears facially valid and

84 ABA-DSG supra note 7 at § 1.24, and U.C.A. 1953 s 46-3-103(29).85 See e.g. U.C.A. 1953 s 46-3-502, providing that CAs may set up repositories or they may be separately licensed; and U.C.A. 1953 s 46-3-504, exempting repositories from all liability associated with reliance upon certificates issued by a licensed CA.

- 24 -


shows no evidence of alteration. Clearly the PKE scheme is superior, and allows the recipient to

produce a copy of the message received in court with a prima facie presumption of validity.86

3. Non-Repudiation (Attribution & Approval)

Along with the association of the message with the holder of the private-key, the

verification of the digital signature carries with it the presumption that the subscriber affixed (or

otherwise authorized the application of) the signature to the message with the intention to

authenticate.87 This allows the use of a digital signature in any manner in which a valid

handwritten signature may be used,88 and with that any limitations from the common law on the

liabilities incurred by the signing party, such as allowing repudiation where there was a lack of

intent to affix a signature,89 and the signing party can present proof sufficient to rebut the

86 ABA-DSG supra note 7 at § 5.6 and comments, and U.C.A. s 46-3-401. The presumption is of course rebuttable, by proof that the certificate was not valid for some reason, or that the subscriber had either lost control of the private key or that it was somehow discovered, and the subscriber can satisfy the burden of proof that the message did not come from her. See ABA-DSG at comment 5.6.2.87 U.C.A. s 1953 46-3-401(3), and ABA-DSG supra note 7 at § 5.6.88 ABA-DSG supra note 7 at §§ 5.1, 5.6 and comment 5.6.2, indicating that the digital signature carries with it all of the presumptions associated with a valid handwritten signature.89U.C.A. s 1953 46-3-401(5)(c). See also Thomas, supra note 8 at 1152, 1161-62, observing that courts have tended to look for the signer's intent, and that when tied to the technology, it may be possible to argue that where the use of digital signatures may be technically required like passwords for particular communications, the using party should not necessarily be held to have had the intent to sign, and Douglas Robert Morrisson, The Statute of Frauds Online: Can a Computer Sign a Contract for the Sale of Goods? , 14 Geo. Mason U. L. Rev. 637, 661 (1992) [Hereinafter Morrisson ], pointing out that intent to sign is a question of fact whether it was more likely than not that a particular use was authorized.

- 25 -


presumption of intent. However, in the final analysis, the digital signature is likely to be far

more difficult to repudiate than a handwritten signature.90

The most likely reason for repudiation of a digital signature will be claim that the

private-key was compromised.91 This possibility has been considered in both the ABA-DSGs

and the Utah-DSA. They both create a duty on the part of the subscriber to exercise reasonable

care in keeping the private-key from being compromised,92 and the ABA-DSG expressly requires

the subscriber to promptly notify any CAs holding the public-keys corresponding to the suspect

private-key upon any reasonable suspicion that it has been compromised.93 However, for some

reason, the Utah-DSA is silent on the subscribers express duty in this regard. Again in both the

CA has a duty to give suitable public notification of suspension94 or revocation95 of a that

certificate.96 The CA has a duty to revoke or suspend a certificate should it become aware of its

invalidity. However, the CA does not have any duty to monitor the use of the certificates to

90 Given the potential technology available to forge handwritten signatures, the possibility to construct such a forgery is far greater than attacking the PKE mathematical algorithms. See e.g. U.S. v. Starzecpyzel, supra note 72.91 Longley, et. al., supra note 12 at 348-49, pointing out that situations where the private-key could be misappropriated likely represent the greatest threat to the reliability of digital signatures.92 U.C.A. s 1953 46-3-303, establishing the reasonable care standard, and ABA-DSG supra note 7 at § 4.3, expressly declining to establish the precise standard of care, but referencing the Utah-DSA and alternative possible standards.93 ABA-DSG supra note 7 at § 4.4., and ABA-DSG note 7 supra at § 4.4. This creates a negligence standard of reasonable care on the part of the subscriber.94 The temporary invalidation of a certificate for some specified period of time, ABA-DSG supra note 7 at § 3.11, and U.C.A. s 1953 46-3-103(35).95 The permanent removal of a certificate from use, ABA-DSG note 7 supra at § 3.12, and U.C.A. s 1953 46-3-103(31).96 ABA-DSG supra note 7 at § 3.14, and U.C.A. s 1953 46-3-302, -306.

- 26 -


affirmatively look for developments that warrant suspicion that a private-key may have been

compromised.97

4. Ceremony

The ceremonial function is perhaps of greater significance in the use of digital signatures

than for handwritten ones. The likelihood that one will inadvertently sign a document by hand is

somewhat remote. However, given the nature of computers, the poor design of application

software might well provide for the default appending of a digital signature on all messages

without the necessary individual affirmative act on the part of the signer. If digital signatures

are to be accorded the status of handwritten ones, binding the owner to approval of all

documents to which they are attached, it is important that their actual use be particularly

ceremonial. For example, the signature might be kept on an external media such as a floppy disk

or a PCMCIA98 card, where the act of applying a digital signature requires the physical insertion

of the disk or card into the machine at the time of fixation or transmission. This type of

implementation would be difficult to mandate, but the reasonable care standard for the

protection of private-keys, likely will be found to extend to the care in use by the owner as well

as the care that they not be compromised by coming into the possession of others. As mentioned

in section 3, supra , both the ABA-DSGs and the Utah-DSA provide a presumption of intent to

97 ABA-DSG supra note 7 at § 4.4, and comment 4.4.2, but see U.C.A. 1953 s 46-3-207(1), mandating that, although not expressly assigned a duty to look for suspicious activity, a CA may not conduct its business in any manner that creates a commercially unreasonable risk for either subscribers or persons relying on the certificates.98 PCMCIA is an acronym for Personal Computer Memory Card International Association and refers to a standard that has become the default choice for plug-in cards for personal computers, Patrick Dryden, Uncommon Cards for Uncommon Slots: PCMCIA Magic is no Easy Trick, but as Standards Begin to Settle, More Products Emerge , 55:10:5 LAN TIMES, March 8, 1993.

- 27 -


affix, but both make that presumption rebuttable.99 The ABA-DSGs suggest that the subscriber

use a suitable form of application software including password protection, but neither mandates

its use nor discusses the standard of care for insuring that all uses by the owner are indeed

intentional.100 The Utah-DSA is silent on this issue.

5. Determining the Time of Signing

In instances such as those where the "mailbox" rule applies, the exact time that the

message was irrevocably committed to transmission to the recipient may be dispositive.101 This

is somewhat problematic for digital signatures. The present schemes do not provide for any

accurate determination of the time of sending or signing of a message by the subscriber. The

only provision for authentication of a time is the existence of a time stamp from a CA.102

However, this service only serves to establish the time that the recipient chose to verify the

digital signature via a CA that provided a time stamp. 103 Thus the time stamp only serves to

determine that the digital signature was affixed and the message was sent some time prior to the

time stamp. Litigants would have to resort to extrinsic evidence to establish any earlier time as

applicable to the validity of the message.104

B. Satisfaction of Legal Signing Requirements

99 See supra notes 85-88 and accompanying text.100 ABA-DSG supra note 7 at § 4.3 and comment 4.3.2.101 RESTATEMENT (SECOND) OF CONTRACTS § 63, setting out that the acceptance of an offer is effective at the time a properly addressed message is "mailed" without regard to its eventual proper receipt.102 ABA-DSG supra note 7 at § 1.29, and U.C.A. s 1953 46-3-103(36).103 ABA-DSG supra note 7 at § 5.6(4), and U.C.A. s 1953 46-3-401(4)104 ABA-DSG supra note 7 at § 5.6 and comment 5.6.2, and U.C.A. s 1953 46-3-401(4)(b), allowing the finder of fact to conclude based upon other evidence that the message was sent at some specific earlier time.

- 28 -


1. The Statute of Frauds, the UCC, Real Estate, and the Parol Evidence Rule

Chapter 5 of the RESTATEMENT (SECOND) OF CONTRACTS comprising §§ 131-137

expressly require signed writings under certain conditions for the contracts to be valid. § 134

specifically addresses the issue of signatures and allows any symbol that manifests the intent of

the signer to be bound to satisfy the requirement. Courts have generally tended to be very liberal

in finding this requirement to be satisfied,105 and there is no reason to believe that digital

signatures will provide any particular problems, except as noted in Part III(A)(3), supra , where

there is a genuine question regarding the intent of the signer. The UCC also embodies the

Statute of Frauds in § 2-201. As digital signatures are typically valid as replacements for

handwritten signatures, no conflicts with the statute of frauds is likely to occur.

The Parol Evidence Rule also warrants a mention in this context. 106 When parties have

reduced their agreement to a writing intended to be the integrated expression of that agreement,

extrinsic evidence of additional inconsistent terms from prior agreements is inadmissible to

determine the scope of the final agreement. An electronic document is likely to be found

sufficient to satisfy the parol evidence rule's requirement for a writing, and the authentication of

that document by the presence of digital signatures will also likely be found to be sufficient to

make the agreement binding where a handwritten signature on a conventional paper document

would have been sufficient.107 At present there is no case law on this issue.

105 See Morrisson, supra note 87 at 654, discussing the courts general acceptance of "signed" telegrams and suggesting the likelihood of their similar acceptance of electronic signatures.106 UCC § 2-202, and RESTATEMENT (SECOND) OF CONTRACTS § 213.107 ABA-DSG supra note 7 at § 5.1 and comments 5.1.1-12, listing all of the known formal signature and writing requirements within the U.S.

- 29 -


Finally, even though the Statute of Frauds, expressly includes all conveyances of real

property,108 under the law of most states, the common law forms of conveyance have been

replaced by statutory forms for deeds.109 Thus the formal requirements for a signed writing to

accompany the conveyance of real property now has a legal basis separate from the Statute of

Frauds.110 At present, only the Utah-DSA would address the ability to conduct such a transaction

wholly electronically, satisfying the statutory deed signing requirements via a digital signature.

There is no case law at present concerning this aspect of the use of digital signatures, but there is

no reason to believe that ultimately this form of transaction will also become commonplace in

real estate as well.

2. Submissions to Courts and to the Government

Beyond the issues in commercial transactions and contract formation, there are numerous

examples of where a signature is required on documents submitted to courts, 111 and on

documents submitted to the government.112 The present, there are no statutes providing for the

general use of digital signatures to satisfy all signature requirements on such documents

submitted to the Federal courts or government, Utah is the only state government to adopt

statutes legalizing the use of digital signatures, and even this watershed legislation expressly

108 UCC § 2-202, and RESTATEMENT (SECOND) OF CONTRACTS § 213.109 ABA-DSG supra note 7 at § 5.1 and comments 5.1.2, citing Roger Cunningham, William Stoebuck and Dale Whitman, THE LAW OF PROPERTY § 1.6 at 761 (2d ed., 1993).110 ABA-DSG supra note 7 at § 5.1 and comments 5.1.2, citing 9 George Thompson, THOMPSON OF REAL PROPERTY § 82.03(b)(3), at 291-92 (Thomas ed., 1994).111 See e.g. FED. R. CIV. P. Rule 11, Signing of Pleadings, Motions, and Other Papers; Representations to the Court; Sanctions .112 See e.g. INT. REV. SERV. Form 1040, U.S. Individual Income Tax Return , and the Form 1040PC, expressly providing for electronic filing. Presently electronic filing must be made through designated third parties who do receive conventionally signed copies of the form.

- 30 -


exempts submissions to the Utah State Tax Commission.113 It is foreseeable that as digital

signature legislation increases, all writing and signature requirements will be able to be satisfied

electronically.

IV. What Burdens Do Using Digital Signatures Create?

A. The need for Certification Authorities

The first major infrastructure impact of enabling the commercial use otherwise legal use

of digital signatures is the need for CAs.114 Although the private sector is capable of supplying

the needs by charging user fees, there is a clear need for legislation to license and regulate these

entities, and for official government run CAs.115 The cost of operating the government entities

can be paid for via general revenue, or through the use of user fees, but in either case they

represent a net additional economic cost to society that handwritten signatures do not incur.

Perhaps the cost will be offset by the reduction in the actual use of paper, but the use of purely

electronic documents has its costs as well. Not only does one need to provide the actual media

upon which the documents are stored, along with any provisions for archival backup copies, but

the added costs of the hardware to create, transmit and view the documents must be included in

the calculation too.116

113 At present Utah is the only state adopting legislation legitimizing digital signature use, and U.C.A. s 1953 46-3-402, expressly exempts submissions to the Utah State Tax Commission from the act.114 See supra the discussion in the text accompanying notes 74-83, .115 See generally ABA-DSG supra note 7 ; the Utah-DSA, U.C.A. s 1953 46-3, and the discussion in Ford, supra note 12 at 93-97, urging that ultimately there will be a need for a Federal U.S. national CA, and possibly an International CA regulated by treaty.116 I have been unable to discover any arguments or detailed compiled data by advocates of electronic documents or digital signatures on the net economic costs of their implementation. However, the literature is abundantly sprinkled with examples of the benefits. See e.g. Long &

- 31 -


Once the CAs exist, then one can expect a whole new jurisprudence to develop. The

only analogous entities in the present legal structure are notaries,117 and they differ sufficiently in

function from CAs to effectively require a separate judicial approach.118 One example of a new

problem stems from the computer's inherent capability to record and rapidly recall all prior

transactions. CAs could easily record and track the parties involved in all transactions that made

use of their subscribers certificates. Such data might subsequently be the subject of a subpoena,

or be sold to commercial data bases, raising privacy issues.119 Such data is also likely to be

commercially valuable in many instances, raising similar privacy issues to those raised with

regard to telephone records.120 The post office by comparison, is not physically capable of

tracking for later recall, all of the signed correspondence between arbitrary parties, whereas the

telephone company could more readily do so. The privacy laws affecting these other forms of

communication will likely have an influence on statutory and judicial treatment of these issues

with respect to the implementation of digital signatures.

B. The Liability of Certification Authorities

With the creation of CAs and the creation of responsibilities and duties for them, comes

the issue of their liability. One could, of course, simply assign a negligence standard and allow

Long, supra note 1 .117 See ABA-DSG supra note 7 at § 1.17 and comment 1.17.2, detailing the differences between notaries in various countries and their distinction from CAs. See also Michael Baum and Henry Perritt, ELECTRONIC CONTRACTING, PUBLISHING, AND EDI LAW 211-14 (1991).118 Id .119 See ABA-DSG supra note 7 at § 3.10 and comment 3.10.1,and see generally M. Ethan Katsh, LAW IN A DIGITAL WORLD 227-36 (1994), and Longley, et. al., supra note 12 at 328-333.120 See e.g. Longley, et. al., supra note 12 at 328-333.

- 32 -


the judicial process to function as it does in most other areas of the law. The difficulty with that

approach is the sums of money potentially involved in the transactions that will occur are so

substantial that the risk of liability would require user fees that would make the operation of CAs

cost prohibitive.121 The solutions employed and proposed revolve around setting liability limits.

For example the Utah-DSA exempts the CA from any liability where it has been properly

licensed, and followed the requirements of the statutes.122 Basically, this protects the CAs from

liability where the subscriber misrepresented information in applying for the certificate, and that

certificate was relied upon by some party, that reliance being the proximate cause of some

harm.123 The CA must comply with the all of the statutory requirements in issuing the certificate

to be afforded this protection.124 The catch is that the statute requires a some standard of care by

the CA, so there could still be liability where the claim would be for a breach of that duty.125

When the statutory provisions which are intended to shield the CAs from liability, do not

protect them from claims of negligence, there are additional methods to limit liability. The

Utah-DSA includes a provision to specify a reliance limit in the certificate itself. 126 Then, the

CAs liability is limited to that amount including the prohibition of punitive damages, if the CA

121 See ABA-DSG supra note 7 at § 3.16 and comments 3.16.1-2, observing that the limitation of liability is necessary to encourage business to enter these uncharted waters.122 U.C.A. 1953 s 46-3-308.123 U.C.A. 1953 s 46-3-308, and ABA-DSG supra note 7 at § 3.16 and comments 3.16.1-2.124 Id .125 ABA-DSG supra note 7 at § 2.3 and comment 2.3.3, pointing out that reliance on the digital signature for verification is foreseeable, and thus civil liability may accrue where the CA breaches its applicable duty of care. The Utah-DSA makes the standard simple negligence, U.C.A. 1953 s 46-3-301, and the ABA-DSGs at comment 2.1.4 specify "commercially reasonable under the circumstances".126 U.C.A. 1953 s 46-3-104(1)(j).

- 33 -


otherwise complied with the licensing requirements.127 In contrast, the ABA-DSGs do not

mention such a provision.

Generally, the intention is to encourage businesses to enter this field and make digital

signature technology available rapidly on a wide scale.128 The flavor of the statutes is to grant

CAs broad exemptions from liability as part of the process of encouraging their entry into this

field.129 One might predict that as the field matures, the courts will adjust their treatment of

liability to suit the commercial reasonableness of the behavior of the CAs.130

C. Are they an Expression of Intent?

As was noted in Part III(A)(3) supra , at common law and in the Statute of Frauds, any

mark made with the intent to authenticate is acceptable as a signature.131 The courts will almost

certainly use this same test where digital signatures are required. 132 When the signer is simply

negligent in the use of a digital signature, liability will still most likely attach.133 However, when

the conduct of the signer does not represent a breach of a duty sufficient to trigger liability, then

genuine questions of intent regarding the use of a digital signature may be sufficient to render

them ineffective to bind the signer. Consider a case where the subscriber is required by the

choice of the recipient's software to use digitally signed communications only, as a method of

127 U.C.A. 1953 s 46-3-308.128 ABA-DSG supra note 7 at § 3.16 and comment 3.16.1.129 Id .130 See e.g. Thomas, supra note 8 at 1150-52, 77-78, discussing judicial adaptation to the evolution of the use of telegraphy in business transactions, and opining that a similar adaptation will occur in their treatment or the use of electronic media.131 See supra notes 83-87 and accompanying text.132 See Thomas, supra note 8 at 1161-1164.133 See e.g. U.C.A. 1953 s 46-3-303(1), invoking a simple negligence standard.

- 34 -


providing security and identification of senders. A digital signature attached for that purpose

might not have been attached to legally bind the signer to the contents.134 Rather it would serve

the same function as buying and affixing a postage stamp to a letter, rather than the function of

signing the enclosed document.

Another potential difficulty which digital signatures present is the possibility that

computer to computer communication will be made using them to authenticate the message. 135

The issue for the law is again, intent. Where no affirmative act occurred in the actual fixation of

the signature, the question of intent is secondary. Clearly, the decision to allow the computer to

affix the signature is something under the control of the signer at some point in time. However,

it is conceivable that the intent and the reasonable expectation of the signer when enabling such

a feature, might not correspond with the prima facie liability that might accrue when the

signature is attached by the computer.136 At present, this is beyond the leading edge of the law.137

D. The Best Evidence Rule

One area of the law that has nicely anticipated the use of electronic documents is the law

of evidence.138 The potential problem with the Best Evidence Rule has been circumvented by the

134 See Thomas, supra note 8 at 1152, 1161-62.135 Joel R. Wolfson, Information Transactions of the Information Superhighway: Its not just Software Law Anymore , 11 J. Proprietary Rts. 2 (1994) n.17-21 and accompanying text [Hereinafter Wolfson ], observing that the issue of computer to computer communication where no human being affixes a signature is beyond the leading edge of present law.136 Note that both hardware and software errors might be culpable in such a case , rather than simple negligence on the part of the signer. Note that the Utah-DSA only provides a rebuttable presumptions of intent and validity, see U.C.A. 1953 s 46-3-401(5).137 See supra note 133.138 See Thomas supra note 8 at 1167-68, pointing out how the potential for controversy has been nicely mooted by the Art. X of the FED. R. EVID. See also ABA-DSG supra note 7 at §

- 35 -


provision in Rule 1001(3) of the FEDERAL RULES OF EVIDENCE that expressly provides that "[i]f

data are stored on a computer or similar device, any printout or other output139, readable by sight,

shown to reflect the data accurately, is an original " [emphasis in the original].140 Thus, courts

will have no difficulty admitting as originals, electronic copies of documents that have been

digitally signed, since they can be shown to reflect the data accurately.141 Recall that a document

offered to prove the truth of its contents is still hearsay, therefore a hearsay exception such as

FED. R. EVID. 803(6) Business Records exception must be found to complete the admissibility

argument. There is no reason to anticipate that digitally signed electronic documents will be

treated any differently in this regard than any other business records.142

The associated problem of situations where only the original should exist presents a

problem for digitally signed documents. Perhaps the most problematic example is the use in

commerce of documents that are themselves negotiable instruments. A signed check for

example. If one were to create an electronic version of a negotiable instrument, then since

electronic copies are essentially indistinguishable, one could produce any number, presumably

all equally negotiable. Several solutions are possible to deal with this type of problem. First,

one could allow electronic documents to be negotiable instruments only where the fund transfer

actually accompanied the digitally signed communication transaction.143 Another solution is to

5,5 and comments 5.5.3; and Stanley A. Kurzban, Authentication of Computer-Generated Evidence in the United States Federal Courts , 35 IDEA: J.L. & Tech. 437 (1995).139 This allows one to remain in the paperless world by simply displaying the document on a computer terminal. There is no express requirement for a hard copy.140 FED. R. EVID. Rule 1001(3)141 See Thomas supra note 8 at 1167-68; 142 See generally Peter N. Weiss, Electronic Documents: Steps Toward Developing A Security Policy , 12 J. MARSHALL J. COMPUTER & INFO. LAW 425, 429-32 (1993)143 This is the solution taken by the Utah-DSA, U.C.A. 1953 s 46-3-403. See also ABA-DSG supra note 7 at § 5.7, declining to adopt a final solution to the problem of negotiable instruments

- 36 -


require a unique serial number on each such instrument, and provide that it would be honored

for payment only once.144 Other suggestions include establishing central registries and the

adoption of emulated currency, as well as the banning of the creation of electronic negotiable

instruments.145 This allows for fraud where an unauthorized party intercepts the message, and

submits the enclosed negotiable instrument for payment prior to the submission by the intended

recipient. Similar type problems occur when electronic documents grant title to property such as

a bill of lading.146 As the property is unique in principle, and the document is not negotiable, the

fraud possibilities are essentially identical with those encountered when using written

documents. Many countries are moving towards acceptance of electronic documents for

customs purposes.147

E. Fraud Possibilities

Among the unfortunate certainties in life is the assurance that attempts to defraud others

will be present so long as our species exists. This tendency is proportional to the probability of

surreptitious success. When introducing any new feature to society, one is always well

counseled the carefully consider the potential for fraud. At the same time, one can rest assured

that should there be any significant opportunities for the dishonest, they will be quickly

discovered and exploited. The hope is to anticipate the most obvious and patch the law as now

loop-holes are revealed. The following is a brief list of places where potential opportunities for

such exploitation might possibly exist.

144 See ABA-DSG supra note 7 at § 5.5 and comment 5.5.6145 Id .146 See Stasia M. Williams, Something Old, Something New: The Bill of Lading in the Days of EDI , 1 Transnat'l L. & Contemp. Probs. 555, 571-574 (1991).147 Id . at 572.

- 37 -


First on the list is the possibility to corrupt the system itself. The weakest link is the

association of an individual with a certificate from a CA. The Utah-DSA requires that

certificates only be issued after receipt of a "signed" application.148 However, the act also

provides that a digital signature is good for all signature purposes, and does not expressly

exclude applications for certificates from CAs.149 Thus, once an individual obtains a single

certificate, she is immediately assisted in getting as many others as needed based on the first one.

Thus, even if the first certificate is obtained by fraud or misrepresentation, and that conduct is

subsequently discovered, if the subsequent CAs do not correlate the notice of revocation of the

first certificate, the use of the additional certificates may be less likely to be discovered.

Another possibility for fraud accompanies the ability of any party, even one who is

unidentified to the CA, to request the suspension of a certificate for any reason under the

provisions of the Utah-DSA.150 Here as pointed out in the ABA-DSGs, there is the potential for

a severe disruption in the subscriber's business. Parties intent on injuring or harassing the

subscriber, might be tempted to anonymously wrongly advise the CA that the subscriber's

private-key had been compromised. Even a short suspension to confirm the bogus nature of the

report, might be sufficiently damaging to the subscriber to satisfy the motives of the wrong-doer.

The desire to act quickly to suspend a potentially compromised certificate, must be balanced

with the opportunity to commit such a fraud.

The present form of the Utah-DSA also has a peculiar loop-hole in duties. The CA has a

duty to notify the subscriber if it should become aware of any reason to suspect the compromise

of the private-key (or for any other reason that the certificate should be suspended).151 However,

148 U.C.A. 1953 s 46-3-301.149 U.C.A. 1953 s 46-3-402.150 U.C.A. 1953 s 46-3-305.151 U.C.A. 1953 s 46-3-304(2)(a).

- 38 -


the subscriber, although charged with a duty to exercise reasonable care to see that the private-

key is not compromised,152 does not have a reciprocal statutory duty to notify the CA should the

subscriber become aware that the private-key has become compromised.153 Although, the

subscriber is required to indemnify the CA for any loss due to the subscriber's negligence. 154

Although it may be difficult to imagine a scheme to defraud based on this seemingly minor

asymmetry in duties, an unscrupulous person might be able to set up a certificate which is

provably valid upon creation, and permit compromise to a clandestine accomplice in a fashion

that cannot be easily attributed to his intent or negligence. Then upon discovery, disclaim

liability for the accomplices use, safe from fault even if it is shown that he was at some point

aware, or should have been aware, that the private-key had been compromised.

The final suggestion for a potential source of fraud concerns the use of time stamps.

Under the normal scheme, it is the recipient who time stamps the message by using a CA that

provides a time stamp with the subscriber's certificate. This allows an unscrupulous to hold a

copy of the original message until a later time and re-time stamp it to gain the benefit of that

later value of the time stamp. The subscriber may of course introduce other evidence that the

message was sent at an earlier time,155 but the only mechanism guarantee that the message being

sent is time stamped before actual transmission to the recipient is to employ another version of a

CA which acts as a third party forwarder adding a time stamp to the message. Provisions for

such services are contemplated, but add to the infrastructure overhead.156

V. What are the Alternatives?

152 U.C.A. 1953 s 46-3-303(1).153 However, the subscriber does have to certify at the time of issue of the certificate that the private-key is not compromised, U.C.A. 1953 s 46-3-302(1)(b).154 U.C.A. 1953 s 46-3-302(4)(a).155 U.C.A. 1953 s 46-3-401(4).156 See ABA-DSG supra note 7 at § 5.6 and comment 5.6.2.

- 39 -


Having discussed the benefits and potential problems of PKE based digital signatures it is

reasonable to discuss the possible alternatives. PKE digital signatures are the "new kid on the

block" as all of the alternatives that are offered in competition are already in substantial use.

First on the list are symmetric cryptosystems .157 These employ the same private key on either

end. Authentication is less of a problem since the recipient's key is physically transported to her

and identities are . Examples of such systems include telephone calling cards and ATM cards

where the user has a unique private-key, known to the phone company or bank as the case may

be. In the commercial environment, almost all present transactions employ such symmetric

cryptosystems.158 The two most widely used systems are the Electronic Funds Transfer (EFT)

system used primarily by financial institutions to transfer funds between institutions, and the

Electronic Data Interchange (EDI) system which is the most widely used system in commercial

trading.159

The disadvantages of symmetric cryptosystems include the need for each individual pair

of potential communicating parties to exchange in advance a common private-key via a secure

medium. This creates an enormous procedural overhead in commerce, especially where it is

desirable to rapidly establish reliable communication with a geographically remote party.

Ironically, PKE technology may lengthen the useful life of many symmetric key based systems

by providing a solution to their key distribution problem.160 Although with symmetric

cryptosystems there is the same ability as with PKE systems for the recipient to authenticate the

content of the message, the recipient's possession of the common key gives her the ability to

157 See Ford, supra note 12 at 66-71.158 Id ; and Longley, et. al., supra note 12 at 327, describing the symmetric cryptosystems used by both the Electronic Funds Transfer (EFT) and Electronic Data Interchange (EDI) systems.159 See Ford, supra note 12 at 4; and Morrisson, supra note 89 at 637-44.160 See Rivest, et. al., supra note 10 at 121, pointing out this potential use for the RSA based PKE systems.

- 40 -


alter the message and re-encipher it with no internal way to detect that the altered message was

not the one actually received.161 Also, there is no internal method of obtaining any reliable time

stamp for either the dispatch or receipt of the message.

The great advantages of symmetric cryptosystems are there relative speed when

compared to PKE algorithms, and the high degree of confidentiality for large messages. This is

the reason that the government uses such techniques for their transmissions that require the

greatest security.162 Also, the length of the message is typically the same independent of

encryption, so the net volume of network traffic is not increased by their use.

Finally, the actual enciphering and deciphering techniques are similar to but less

constrained mathematically than those proposed for the PKE schemes. The requirement that

each communicating pair be supplied with a unique key, creates the desire for an enciphering

algorithm that puts less stringent demands on the exact nature of the key. This has lead to

hardwired algorithms implemented on individual electronic integrated circuits (chips). The

Federal government adopted such an algorithm known as the Data Encription Standard

[hereinafter DES ], in 1977.163 The DES chip allows the rapid processing of large volumes of

data using any 56-bit random as the symmetric key. It is still in use today, and there have been

no reported successful attacks.164 However, fears that the DES chip will eventually be

successfully breached have lead to the proposal that it be replaced with an new chip based on a

classified algorithm known by the code name SKIPJACK.165 The new chip is referred to as the

Clipper Chip and employs an 80-bit random number as a key.166 The National Security Agency

161 See Ford, supra note 12 at 66-71.162 Id at 70-71.163 Id at 67, describing the details of the DES algorithm which is publicly known.164 Id at 70.165 Id at 71.166 Id .

- 41 -


has proposed that the Clipper Chip be adopted as the national standard for all secure

communications. This has met with considerable opposition because the SKIPJACK algorithm

is known to possess a trap-door . The trap-door consists of two independent 80-bit secret keys

that will allow the holder to decipher any enciphered message.167 The proposal is to house the

trap-door keys with two independent law enforcement escrow agents under strict controls,

requiring judicial approval for their authorized use to intercept and decipher a particular

message.168 Enumeration of the arguments for and against the Clipper Chip are beyond the scope

of this discussion, and bear on it only to the extent that it is a potential symmetric cryptosystem

in competition with the PKE systems described here.

VI. Conclusions

The PKE systems based on the RSA and DSS algorithms are clearly workable

alternatives to the symmetric cryptosystems presently in use. They offer significant advantages

in authentication of the content of the messages as well as the traditional signature function of

signer identification. Their ability to establish a form of rapid communication with remote

parties that will allow legally binding transactions to occur, make them unique. However, they

do come with a price. The requirement that an infrastructure of certification authorities be

established along with the official regulation of those authorities, is a cost that must be included

in the evaluation. One can expect other states to follow Utah's lead,169 and establish Digital

Signature Acts of their own. The American Bar Associations' Digital Signature Guidelines170 are

an excellent starting point for legislators considering the provisions that such an act must

167 Id .168 Id .169 See U.C.A. 1953 s 46-3, The Utah Digital Signature Act.170 ABA-DSG supra note 7.

- 42 -


include. As noted in the various sections of this note, the two do not always agree, 171 and the

resolution of those areas of alternate approach will likely await the inevitable case law to come.

Lawrence S. Pinsky

171 See supra notes 79, 81, 83, 92, 93, 97, 125, 143, and 151.

- 43 -


Appendix A. A "Simple" Numerical Example of the RSA PKE Algorithm

The following is an example of the RSA PKE algorithm using small "easily calculable"

numbers to illustrate the technique. The reader is referred to Part II(B)(3) supra for the

discussion of the technique. All numbers will be normal decimals to facilitate there

interpretation and allow verification of the calculations with any normal 4-function calculator.

Let us take as our "message" the author's initials "LP". As described in Part II(B)(1), in ASCII

these letters would be represented by the numbers 76 and 80 respectively. (Capital A begins at

65 in ASCII.) Thus the message is represented in decimal numbers by 7680. Since we want a

"simple" example, and since the value of N must exceed the maximum size of the message, let

us break the message into 4 pieces: 7, 6, 8, and 0. The largest number we would have to deal

with given this message is 8. To choose N we first choose two primes, p and q and then let N =

p * q. To keep things manageable, let's pick:

p = 3 , and q = 11 . (Both being prime numbers as required.) (A1)

Then:

N = p * q = 3 * 11 = 33 . (A2)

This would then allow messages up to the number 32 to be enciphered with the keys we are

about to find. We choose d, the public-key first. To do that we need to calculate:

f = ( p - 1 ) * ( q - 1 ) = ( 3 - 1 ) * ( 11 - 1 ) = 2 * 10 = 20 . (A3)

Recall that from eqn. (6) supra Part II(B)(3), that d must be relatively prime to f (or 20 in this

case). If we choose d to be a prime that is not a factor of 20, we will have satisfied that

requirement. The prime factors of 20 are:

20 = 2 * 2 * 5 (A4)

Since 3 is available, let us choose:

d = 3 . (A5)

Now we must find e. From eqn (8) supra Part II(B)(3), we have:

e * d = 1 ( mod ( p - 1 ) * ( q - 1 ) ) , (8)

- 44 -


or, e * 3 = 1 ( mod 20 ). (A6)

The RSA system uses the following algorithm here to solve for e.

We are basically looking for the smallest number that when multiplied by 3 will be 1 more than

some integer multiple of 20. This is easily solved by an iteration process. Basically want the

smallest integer that solves:

e * 3 = n * 20 + 1 . (A7)

We are fortunate that the solution here is very easy:

e = 7 . ( i.e.. 3 * 7 = 1 * 20 + 1 = 21 ). (A8)

Thus we have found both keys. Let us recap the values:

N = 33 ;

d = 3 ;

e = 7 ; and

M1 = 7 , M2 = 6 , M3 = 8 , and M4 = 0 , (A9)

We can proceed to encipher the first part of the message according to eqn. (1)supra Part II(B)

(3),

C = M e ( mod N ); (1)

or: C = (7)7 ( mod 33 ) . (A10)

(7)7 is a large number, but we require the remainder after dividing 77 into that number.

Computers can carry out this part of the calculation with relative ease for very big numbers, but

you can verify this calculation on a simple calculator. The result is:

(7)7 = 823,543 , (A11)

which when divided by 33 leaves a remainder of 28. (i.e. 823,543 / 33 = 24,955 with a

remainder of 28. Thus:

C1 = 28 . (A12)

This value would be transmitted along with the corresponding values for the other characters as

the digital signature. (Here we have not used the analog of a hash function, but have begun the

- 45 -


process of encoding the entire message. Upon receipt the message would be reconstructed from

the public-key which consists of ( N = 33, and d = 3). From eqn. (2)supra Part II(B)(3),

M = C d ( mod N ) , (2)

or M = 28 3 ( mod 33 ) . (A13)

28 3 = 21,952 , which when divided by 33 leaves a remainder of 7, (i.e.

21,952 / 33 = 665 with a remainder of 7 ) as required to reconstruct the original message. The

other characters encipher as:

C2 = (6)7 ( mod 33 ) = 30 ;

C3 = (8)7 ( mod 33 ) = 2 ; and

C4 = (0)7 ( mod 33 ) = 0 . (A14)

Notice that C4 has a problem. The value of 0 gives itself away. To avoid this the actual

algorithm would require padding to provide dummy bits to keep from falling into this problem.

Actually, any number that after the exponentiation did not "turn over" (i.e. exceed the modulus,

and thus be required to "wrap around" at least once), would also require padding. The

enciphered message would look like: 28300200. This then would be the digital signature and

the public key would be [3, 33].

The scheme is secure so long as an attacker cannot reverse the process in equation 8 to

find e. Of course if the attacker can factor 33 to find p and q (i.e. 3 and 11), then he can quickly

use the same procedure used here to find e from d, p, and q that was used to find e in the first

place. However, only N is divulged in the public-key, not p and q. When N is a 200 digit

number which is the product of 2 large primes, there is no known way to factor it quickly.

Even this "simple" numerical example requires some considerable arithmetic. Although

easy for computers, the clear effort required illustrates the overhead that the PKE method

introduces to the process of communication.

- 46 -