Understanding Cryptographic Signatures in ProofSnap

What Are Digital Signatures?

A digital signature is a mathematical scheme that proves the authenticity and integrity of digital data. Think of it as a tamper-evident seal that shows both who created the data and that it hasn't been modified since signing.

Unlike handwritten signatures that can be forged, digital signatures use cryptographic mathematics to create unforgeable proof of authenticity. They're the digital equivalent of a wax seal on an important document - but exponentially more secure.

How ProofSnap Uses Signatures

Every evidence package captured by ProofSnap includes multiple layers of cryptographic protection. Let's break down each layer:

1. RSA Key Pair Generation

When you first use ProofSnap, a unique RSA-2048 key pair is generated and securely stored on your device:

Private Key: Kept securely on your device, never transmitted or shared. This is like your personal seal that only you can use.
Public Key: Included in all evidence packages for verification. Anyone can use this to verify your signatures.

Why RSA-2048? This encryption standard uses 2048-bit keys, which would take current supercomputers millions of years to break. It's approved by NIST and used by governments worldwide.

2. Manifest File Creation

ProofSnap creates a manifest.json file containing SHA-256 hashes of all captured files:

{
  "timestamp": "2025-11-25T14:30:00.000Z",
  "url": "https://example.com/evidence",
  "files": {
    "screenshot.png": "a1b2c3d4e5f6...",
    "page.html": "f6e5d4c3b2a1...",
    "content.txt": "1a2b3c4d5e6f..."
  },
  "metadata": {
    "browser": "Chrome 120.0.0",
    "userAgent": "Mozilla/5.0...",
    "viewport": "1920x1080"
  }
}

3. Digital Signing Process

The manifest file is then digitally signed:

A SHA-256 hash of the manifest is created (a unique fingerprint)
This hash is encrypted with your private RSA key, creating the signature
The signature is saved as manifest.sig in the package
Your public key is included for verification

Understanding Hash Functions

Hash functions are the foundation of digital signatures. SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function that:

Produces unique fingerprints: Even a single character change creates a completely different hash
Is one-way: You can't reverse-engineer the original data from the hash
Is collision-resistant: It's practically impossible for two different files to have the same hash
Is deterministic: The same input always produces the same output

Example: How Small Changes Affect Hashes

Original: "ProofSnap is awesome"
SHA-256:  8f3d4c5b2a1e9f8d7c6b5a4e3d2c1b0a...

Changed:  "ProofSnap is Awesome" (capital A)
SHA-256:  1b0a2c3d4e5f6g7h8i9j0k1l2m3n4o5p... (completely different!)

How Verification Works

Anyone can verify a ProofSnap evidence package without needing access to ProofSnap's servers. Here's the step-by-step process:

Step 1: Extract the Package

Unzip the evidence package to access:

manifest.json - List of all files and their hashes
manifest.sig - Digital signature
public_key.pem - Public key for verification
evidence.ots - Blockchain timestamp
All captured files (screenshot, HTML, etc.)

Step 2: Verify File Integrity

For each file listed in the manifest:

Calculate the SHA-256 hash of the actual file
Compare it to the hash stored in manifest.json
If they match, the file hasn't been tampered with

Step 3: Verify the Signature

Calculate SHA-256 hash of manifest.json
Decrypt the signature using the public key
Compare the decrypted value to the calculated hash
If they match, the manifest is authentic and untampered

Step 4: Verify Blockchain Timestamp

Visit opentimestamps.org
Upload the .ots file
Upload the original manifest.json
See proof that the manifest existed at a specific time on the Bitcoin blockchain

Why This Matters: Security Guarantees

Proof of Authenticity

The signature proves that the evidence package was created by the holder of the private key. Since only you have access to your private key, only you could have created this package.

Proof of Integrity

If even one byte of any file is modified, the verification will fail. This proves that the evidence hasn't been tampered with since capture.

Non-Repudiation

You cannot later deny creating the evidence package. The cryptographic signature is mathematical proof of authorship.

Timestamp Proof

The blockchain timestamp proves when the evidence existed. This timestamp cannot be backdated or forged.

Security Best Practices

Protect Your Private Key

Never share your private key with anyone
Back up your key securely (encrypted backup recommended)
If your device is compromised, generate a new key pair
Consider using hardware security modules (HSM) for high-value cases

Verify Before Trusting

Always verify packages before presenting as evidence
Test the verification process with colleagues
Keep verification tools readily available
Document the verification process

Store Evidence Securely

Keep original evidence packages in multiple locations
Use encrypted storage for sensitive cases
Never modify files within evidence packages
Maintain clear chain of custody documentation

Common Questions

Can signatures be forged?

No. Without access to your private key, it's mathematically impossible to create a valid signature. Breaking RSA-2048 would require computational power that doesn't exist.

What if I lose my private key?

Evidence packages you've already created remain valid and can still be verified. However, you won't be able to create new packages with that key pair. You'll need to generate a new key pair for future captures.

Can someone else verify my evidence?

Yes! That's the beauty of public key cryptography. Anyone can verify your evidence using the public key included in the package. They don't need your private key or access to ProofSnap.

How long are signatures valid?

Signatures remain cryptographically valid indefinitely. However, as computing power increases, encryption standards evolve. RSA-2048 is expected to remain secure for decades.

Technical Deep Dive: The Math Behind It

For those interested in the cryptographic details:

RSA Algorithm Basics

Choose two large prime numbers (p and q) - each 1024 bits for RSA-2048
Calculate n = p × q (the modulus, 2048 bits)
Calculate φ(n) = (p-1)(q-1)
Choose public exponent e (typically 65537 for efficiency)
Calculate private exponent d where d × e ≡ 1 (mod φ(n))

Public Key: (e, n)
Private Key: (d, n)

Signing Process

// Simplified representation
hash = SHA256(manifest)
signature = hash^d mod n  // Use private key exponent

Verification Process

// Simplified representation
hash_from_signature = signature^e mod n  // Use public key exponent
hash_calculated = SHA256(manifest)
valid = (hash_from_signature === hash_calculated)

Future Developments

Cryptographic technology continues to evolve. ProofSnap is exploring:

Post-quantum cryptography: Algorithms resistant to quantum computers
Multi-signature schemes: Requiring multiple parties to sign
Hierarchical keys: Organizational key management
Hardware security modules: Enhanced key protection

Conclusion

Cryptographic signatures transform simple screenshots into legally-defensible evidence. By combining RSA-2048 digital signatures, SHA-256 hashing, and Bitcoin blockchain timestamping, ProofSnap provides mathematical certainty about:

Who created the evidence (authenticity)
What the evidence contains (integrity)
When it was created (timestamp)

This cryptographic foundation makes ProofSnap evidence packages independently verifiable, legally robust, and trustworthy for any application requiring proof of web content.