How to overcome slow process of creating and verifying digital signature?

Question

From what I understood is the digital signature is a long process and have following steps:

Hashing the Message Plain Text using a well-known (public) hashing algorithm.
Encrypting it with sender's (A-PvtKey) Private Key.
Appending the encrypted hash to the Message Plain Text and send/store/...
Receivers can be one/many/any. None of the receivers' keys are used.
Anyone wishing to verify the document just follows the reverse process. i.e.,
Separate the encrypted hash from the message
Decrypt with sender's public key (A-PubKey) (usually from a Digital Signature Certificate issued by a trustworthy / legally-acceptable CA).
Generate the hash from the Message Plain Text independently and compare with the decrypted hash from #7 above.

Source: How does the digital signature process work?

The process of generation and verification of digital signature requires considerable amount of time. So, for frequent exchange of messages the speed of communication will reduce.

And noticed there are commercial digital signature providers : http://www.digitalsignatureforetender.com/

How they overcome the slow process of verifying digital signature? Or they are using different mechanism?

That website you linked looks super sketchy. Are they an intermediate CA? — Daisetsu, Oct 13 '18 at 03:51
Well, no idea. I found them on google. Is there any other alternate company/technology? — Sayan, Oct 13 '18 at 11:07

Steffen Ullrich · Accepted Answer · 2018-10-13T06:10:38.447

The process of generation and verification of digital signature requires considerable amount of time.

I doubt this claim:

Currently used cryptographic hashes are designed to be fast.
Data can be feed into the hash in pieces: one does not need to keep all the data to be signed in memory but can feed the data into the hash piece by piece for example while doing other kind of processing with the data which are usually more expensive than the hashing (like streaming on a network, copying it, transforming it for transport...).
Hashing does not need much memory, i.e. it only needs a constant amount of memory no matter how much data you include the hash.
The final signature only involves (more expensive) cryptographic operations over the small hash no matter how much data need to be signed and is thus fast too.

So, for frequent exchange of messages the speed of communication will reduce.

The only kind of expensive step is creating the final signature using the private key, the hashing itself is cheap. Still lots of signatures can be created in a short time with common hardware and if this is needed the other processing during communication (i.e. transport over network) is probably more significant for performance than the signing process. For example each full TLS handshake (i.e. HTTPS) is creating and validating digital signatures and still the performance of the connection is bound primarily by the latency of the network and also the key exchange, but not by creating or validating digital signatures.

It can be expensive though if lots of small data need to be signed - in this case aggregating the data and signing together might be done depending on the use case.

And it can be slow if slow hardware is used, like for example smartcards protecting the private key. In this case the hashing is usually done outside this hardware and the slow hardware is only used for the ultimate signing of the small hash. When using a smartcard for signing a high performance is usually not required. The user has to put the smartcard first into the smartcard reader anyway and maybe unlock it with a PIN so the additional slowness of the smartcard is not that relevant compared to the slowness of this whole process.

And noticed there are commercial digital signature providers ... How they overcome the slow process of verifying digital signature?

The site you reference does not do any digital signing at all. They do offer certificates which can be used for digital signing though - nothing special and not different to what others offer. The signing is still done by the user itself by using the (secret) private key owned by the user.

score -1 · Answer 2 · answered Oct 13 '18 at 03:45

-1

Typically asymmetric (public-private) cryptography is used to securely exchange a symmetric key in the case where large amounts of data are being transferred due to the relative speed of the symmetric cipher.

answered Oct 13 '18 at 03:45

Daisetsu

5,110
1
14
24

1

The OP asked about digital signing. This answer is about encryption - which is a different thing. – Steffen Ullrich Oct 13 '18 at 05:08
Well, seems I can't delete my own answer. Odd – Daisetsu Oct 13 '18 at 12:02

How to overcome slow process of creating and verifying digital signature?

2 Answers2