Blog > Law & Regulation

How Digital Signatures Work

By Craig Wright | 21 Jan 2020 | Alternative Coins & Systems

Way back in 2006, I wrote a legal paper as part of my work with Northumbria University and my postgraduate law studies on the topic of digital signatures and the Electronic Communications Act 2000 (ECA). And I’ve found it surprising how misunderstood the topic of digital signatures in technology really is. The people involved with systems like Bitcoin who have taken it from what I developed to form a criminal and anarchist system, or at least the failed attempt to try and do so, present a large part of such failure. Some of it actually even links to people like Mr Antonopoulos, who attempted to mislead courts into believing the so-called Dread Pirate Roberts defence in the case of Silk Road. In writing today’s post, I’ll explain the error in its false narrative. There is no such thing as handing keys over and saying they’re someone else’s, which is not how digital signatures work. Apart from Mr Antonopoulos not having a clue about how Bitcoin is designed, he has even less of a clue about how laws around digital signatures work.

Basically, it is well-understood that such lowlifes hate me, and it’s really easy to understand why they do as I am pulling apart their house of cards that is built upon the lie that Bitcoin is designed to promote anarchy and crime.

So, to pull apart another false myth that no one outside of the Bitcoin community (and ‘altcoin’ community, if it matters) even thinks about, I will look at electronic signatures based on a document I wrote in 2006.

What Is an “Electronic Signature”

Compliance with the EU Directive on Electronic Signatures [1] was accomplished by the UK Parliament through the passing on 8th March, 2002, of the Electronic Signatures Regulations 2002 (ESR). Such regulations removed much of the uncertainty surrounding the existing provisions in UK law concerning electronic signatures and including the Electronic Communications Act 2000 (ECA) by putting into practice the concept of “advanced electronic signatures” [2].

The designation of advanced electronic signatures was directly extracted from the EU Directive on Electronic Signatures [3]. Article 3 of the Regulations, Supervision of certification-service-providers, implements the requirements of Article 3 of the Directive regarding the registering, recording, publishing, and supervision of certificate service providers (CSPs) by the Secretary of State. Article 4 of the Regulations implements the liability provisions in Article 6 of the Directive on qualified CSPs. Strict data protection principles included in the Directive regarding CSPs are implemented in Article 5 of the Regulations.

The basic provisions of the ECA regarding electronic signatures are thus expanded in the ESR, which have successfully implemented the EC’s framework for digital signatures and a developed PKI [4] into UK law. The Electronic Signatures Regulations 2002 defined a basic and an advanced electronic signature as follows:

Basic electronic signatures are defined broadly to include all types of electronic signature. They are defined in paragraph 2 of the Regulations as “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication”.

Advanced electronic signatures are defined in the same act to include an advanced form of electronic signature and meet the ensuing requirements provided. As such, an advanced electronic signature is:

  1. uniquely linked to the signatory;
  2. capable of identifying the signatory;
  3. created using means that the signatory can maintain under his sole control; and
  4. linked to the data to which it relates in such a manner that any subsequent change of that data is detectable.

It is envisioned that an advanced electronic signature will rely on the application of a personal digital certificate provided by a certificate service provider (CSP). It is believed that such a digital signature, supported by an eligible certificate issued by an accredited certification authority (CA), will provide for certainty and non-repudiation to a recipient allowing for the trust in the data integrity and authenticity of the sender’s signature and message content.

A digitised electronic signature is not the same as a digital certificate. A digital signature is associated with a unique numerical code and value. The code, when associated with the correct cryptographic algorithm, allows one to verify the authenticity of the author of a digitally signed document with an extremely low probability of error [5].

An electronic signature can include a printed name, an e-mail address, and a scanned signature. On the other hand, a digital signature itself presents the unique numerical value based on the entire written document that is being signed. The ECA did not define electronic signatures in a manner consistent with Directive 1999/93/EC [6], which allowed an aspect of uncertainty.

In defining “Electronic signatures and related certificates” in section 7 of the ECA, little clarity was expressed on the difference to a digitised electronic signature and how it is not the same as a digital certificate.

The ESR was passed to clear up such uncertainty and provide compliance with the 1999 Directive. The Regulations have brought the UK legislation in line with the EC Directive, while helping to fix the eventual value of a digital certificate. The legislation has the effect of enabling the courts to treat the electronic signature as an equivalent to a manuscript signature. It directly mirrors the provisions of Art. 5(1) [7], which grants that such signatures:

(a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based [8] data; and

(b) are admissible as evidence in legal proceedings.

The definition of electronic signatures by the ESR in purely functional terms still will not allow the substitution, through an electronically signed document, of a manuscript involving a physical signing of the same document. The Electronic Communications Act 2000 has the effect of ensuring that the UK courts treat electronic signatures as producing the same evidential effects as physical signatures [9]. It does not adapt the electronic manuscript to a signed physical writing [10].

Formal requirements, such as ones existing for the dispossession of real property, prevent certain transactions from being carried out through electronic communications. The uncertainty around the formal requirements associated with digital contracting was corrected through the addition of further legislation, namely the introduction of the Land Registration Act 2002.

It remains uncertain whether the courts will amend their characterisation of individual signatures or keep it as delineated by Denning LJ in Goodman v. J Eban Ltd [11].

A certificated advanced electronic signature as defined by the ESR will likely show evidence of all features requisite in such a case, excluding the prerequisite for handwriting. It will make obvious that the document has received the individual endorsement of the signing party. There remains the difficulty of deciding whether a personal signature is by nature of form or of function.

Issues with Electronic Contracting

Electronic networks such as the Internet are primarily communication channels. Although there is much uncertainty surrounding such forms of communication, it should be remembered that there are fundamentally few real differences between new communication formats such as the Internet and older electronic measures such as phone lines. Just as in the past where a variety of different communication protocols could use a single carrier line such as a voice phone line [12], electronic mediums such as the Internet are a collection of protocols — each with its own and often separate issues.

The major uncertainty with electronic contracts stems from the facts of the individual dispute. Fundamentally, they concern the offer, acceptance, and consideration to fill the requirements of creation of a contract. In case the offeror may stipulate the method of acceptance [13], it is prudent for the contracting parties to agree on the form of acceptance prior to the conclusion of the contractual negotiations.

Another important issue that surrounds Internet contracting comes with the general rule of law associated with the acceptance of an offer, which must be “communicated” to the offeror [14]. Under normal circumstances, the offeror must receive the acceptance before a contract will come into existence. Disputes as to the form, which may be alleviated to some extent by the ECA, do little to define the instance of communication.

What Does It Mean for Digital Signatures?

Bitcoin was primarily designed as a low-value cash system. Other overlay systems can be built on top of Bitcoin, enabling the legal construction of identity mapping and the ability to legally transfer large amounts of money. When we’re talking about small-value transactions, it is unnecessary to include identity information or to have a means for the consumer to recover the payment. All that said, none of it covers the requirements of a digital signature. Ross Ulbricht was not prosecuted on Bitcoin transactions alone. He certainly wasn’t transmitting identifiable public information in his digital signatures. He was arrested on good old digital forensics.

The low-life scumbag that is Ross Ulbricht is not the freedom-loving Gandhi-esque figure that people try to paint him as. But the reality does not stop them from creating a false narrative of how digital signatures work. You see, to prove someone’s identity with a digital signature, you need to first have a registered key.

You can’t use a digital signature to prove your identity; you prove your identity and then you have a digital signature to support it. The order here is important. Even if you register a key, it does nothing to prove anything prior to the registration of the key, which is not a marker of identity, but the registration of the key is. Bitcoin, then, can be integrated into the PKI or public key infrastructure system.

The first thing to know about using a digital signature for the purpose of determining an identity is that it must be uniquely linked to the signatory. If you can anonymously transfer keys without registration, they cannot legally be used as a means of identifying an individual. Keys must offer the capability to identify the signatory, which is possible to achieve in Bitcoin, but again, even with deterministic or hierarchical keys, they must be linked to a registered base key. Importantly, too, it needs to be maintained in a way that the signatory can do so under his or her sole control.

It’s interesting that the so-called experts fail to understand the most basic aspects of law concerning digital signatures. That they understand very little about the implementation of digital signatures. Some of the so-called lawyers in the ‘crypto’ media and Twitter sphere seem to not understand the simple fact. It makes you wonder whether they are merely incompetent or have an agenda.

If you wanted to use a digital signature associated with your Bitcoin wallet as a means of signing transactions with your identity, the process is not too difficult. The creation of a linked set of keys is possible so that you can remain pseudonymous on the blockchain and yet have your identity linked. The hashing function of payment addresses in Bitcoin also increases privacy. In order to link an identity to Bitcoin, you need to register the key formally. The key is only viable as a digital signature and identity reference after it has been registered. In other words, you can’t sign a document, register a key that can be transferred, and then say that the previous signature was definitively proven. It’s a shame how little people seem to understand about such a simple concept.

Notes

[1] Directive 1999/93/EC.

[2] S 2; Statutory Instrument 2002 №318; The Electronic Signatures Regulations 2002.

[3] Appendices I and II of the Directive are directly adopted in the Regulations.

[4] PKI stands for public key infrastructure.

[5] Lim (2002); Reed (2004); van de Graaf (1987); Vaughan (1997).

[6] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures [OJ No. L13, 19.1.00, p. 12].

[7] Art. 5(1), Directive 1999/93/EC.

[8] The distinction of a “paper document” is significant. The legal notion of a manuscript or document is particularly extensive. It has been extended to books of accounts (Hill v. R. [1945] KB 329), photographs of headstones and houses (Lyell v. Kennedy (No 3) (1884) 27 Ch D 1), and diagrams and plans (Hayes v. Brown [1920] 1 KB 250; J. H. Tucker & Co.Ltd. v. Board Of Trade [1955] 2 All ER 522).

[9] Leroux (2004).

[10] Reed (2000).

[11] Goodman v J Eban Ltd [1954] 1 QB 550; Lord Evershed MR at 55 also supports such assessment. Denning LJ at 56: “In modern English usage when a document is required to be “signed by” someone that means that he must write his name with his own hand upon it”.

[12] POTS (plain old telephone system) was used for the carriage of telex, facsimile, data transfer, and EDI-based communications. See also Hallberg (2005), p. 84.

[13] Eliason v Henshaw (1819) & Manchester Diocesan Council for Education v Commercial and General Investments (1970).

[14] McKendrick [1] (2005), pp. 43–44.