Digital Signatures

What is a digital signature?

A digital signature proves two things at once: that the message has not been altered (integrity), and that it was produced by the holder of a specific private key (authenticity / non-repudiation). The verifier needs only the public key — never the private one.

Which algorithm should I use?

For new code prefer ECDSA P-256 or Ed25519: small keys, small signatures, fast. Use RSA-PSS when you must keep RSA but want the modern, provably-secure padding. RSA PKCS#1 v1.5 is still everywhere (TLS, JWT RS256, X.509) but is deterministic and has had decades of foot-gun history — keep using it for compatibility, but pick PSS for anything new.

RSA encryption vs RSA signing

They are not the same operation. Encryption hides a message from observers; signing proves it came from you. Use RSA-OAEP for encryption and RSA-PSS for signing — never mix the two padding schemes.

ECDSA nonce reuse — the bug that broke the PS3

ECDSA requires a unique random nonce k for every signature. Sony famously used a constant k across all PS3 firmware signatures; that immediately leaks the signing key. Modern libraries use RFC 6979 deterministic k or a properly seeded CSPRNG to eliminate this class of bug.