When people think of cryptography, they often imagine secrecy. Encrypted messages, hidden conversations, locked files. But much of modern cryptography is not about concealment at all. It is about integrity. It is about proving that something has not changed, that it came from a particular source, and that it can be trusted even when the participants do not know each other.
In a global network where strangers exchange data constantly, trust cannot rely on familiarity. It must rely on mathematics. Two tools make this possible, cryptographic hash functions and digital signatures.
Hash functions: fingerprints of information
A cryptographic hash function takes input data of any size and produces a fixed-length output, often called a digest. That digest acts like a fingerprint. If even a single bit of the input changes, the resulting hash changes dramatically.
Modern examples include SHA-256 and its predecessor SHA-1. These functions are designed with three key properties:
- It is computationally infeasible to reverse the hash and recover the original input.
- It is infeasible to find two different inputs that produce the same output.
- A small change in input produces a radically different hash.
The power of this design becomes clear in practice. If a software developer publishes a file along with its hash, anyone who downloads that file can compute the hash locally and compare it. If the values match, the file is almost certainly intact. If they differ, something has changed.
The parties involved do not need to know each other. They do not even need to communicate directly. The hash acts as a compact representation of integrity.
Hashes therefore create a form of trust that does not depend on identity. They answer the question, “Has this data been altered?” rather than “Who are you?”
Digital signatures: binding identity to integrity
Integrity alone is not always enough. In many cases, it matters who produced a message. A software update, a financial transaction, or a legal document requires not just confirmation that it is unchanged, but assurance that it originated from a specific party.
This is where digital signatures enter.
Digital signatures rely on asymmetric cryptography, where each user has a public key and a private key. A message is hashed first. The sender then uses their private key to sign that hash. Anyone with the corresponding public key can verify the signature.
The signature does not encrypt the message. It binds the sender’s private key to the message’s fingerprint. If the message changes, the signature verification fails. If someone attempts to forge the signature without the private key, verification also fails.
Algorithms such as RSA and Elliptic Curve Digital Signature Algorithm are widely used for this purpose.
Digital signatures create a bridge between identity and data integrity. They allow verification without requiring shared secrets. In many systems, they enable non-repudiation, meaning the signer cannot credibly deny having signed the message.
Trust in distributed systems
On the modern internet, these mechanisms operate constantly in the background.
When a browser connects to a secure website, it checks digital certificates that are themselves signed. When a smartphone installs an app update, it verifies a signature. When developers collaborate through distributed version control systems, commits are often signed to confirm authorship.
Hashes and signatures are also foundational to distributed systems that operate without central authorities. In blockchain-based networks, transactions are hashed into blocks, and each block contains the hash of the previous one. This chaining creates tamper-evidence at scale. Signatures authorise the movement of digital assets without requiring face-to-face verification.
In all these cases, trust emerges not from knowing the other party personally, but from verifying mathematical relationships.
The limits of mathematical trust
Despite their strength, hashes and signatures are not magic. They assume that private keys remain secret, that algorithms remain unbroken, and that implementations are correct.
History has shown that weaknesses often arise not from the mathematical core, but from its surroundings. Poor random number generation can compromise signatures. Deprecated algorithms, such as SHA-1, can remain in legacy systems long after vulnerabilities are known. Key management failures can undermine otherwise sound cryptographic designs.
There is also a social layer. Public keys must be distributed and associated with identities in some way. Certificate authorities, trust stores, and software supply chains all introduce institutional dependencies.
Mathematics can verify a signature. It cannot guarantee that the public key belongs to who you think it does.
A different model of trust
What makes hashes and signatures historically significant is not just their technical elegance. It is the model of trust they enable.
In earlier eras, secure communication depended on shared secrets and controlled distribution. In modern digital networks, trust must scale globally among participants who may never meet.
Hashes ensure that data remains intact across vast and untrusted networks. Digital signatures ensure that integrity can be tied to a cryptographic identity rather than a physical one.
Together, they create a system in which trust is verifiable, portable, and decentralized. Identity becomes something that can be proven mathematically rather than asserted socially.
This shift, from trusting people to trusting proofs, defines much of the architecture of the contemporary internet.