Public Key Cryptographic Systems (PKCS) use computationally hard mathematics to obfuscate text and binary images. They use two distinct keys. One is kept private and one is made public. If you use one key to obfuscate something, only the other key can be used to make it clear again. This is a great technique for communicating with someone privately. My public key below uses the Ed255519 elliptic curve algorithm.
You can also make uses of this to sign things. This is a very important technology. Signing something uses a hashing algorithm to produce what we call "a cryptographically strong hash." Currently the default hashing algorithm used for ed25519 is SHA-512. This is the much stronger than SHA-256 which is used for TLS 1.2 & 1.3 (HTTPS web traffic).
Let's take an example using GPG.
I swear this is from me. --Jon Pellant
Given the message above, How do we assure it came from me? The first thing I need to do is sign it.
% echo "I swear this is from me. --Jon Pellant" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I swear this is from me. --Jon Pellant
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRNEqFoJNU6mTZj2DeIxYJx/h0+3gUCaVfMTwAKCRCIxYJx/h0+
3nohAP9eKnGKz3pWcKt9S2aGxPFV6O1ew2pIKYf1y0Pcj5gZTAEAnWNFuk3zCZp8
mIk7urahwq97LMRgzNAKVneyRTagGgs=
=86dy
-----END PGP SIGNATURE-----
What this command did was to send (echo) my text to the standard output and pipe (|) that to gpg. The --clearsign flag told gpg to make the signature readable by humans.
That text in the SIGNED MESSAGE section produces a SHA-512 hash that looks like this:
528d3720082ec3053cccbe2906b433516eff4234f80bb4d593b5424328c59ed19063d6d6acc4560456c23062f6fa783e8100e84d055fc965d334f7bb30b215a0
What you see in the SIGNATURE portion of the message, is this obfuscated hash with my private key. So how does GPG check to see if it is valid?
% gpg -d sig.asc
I swear this is from me. --Jon Pellant
gpg: Signature made Fri Jan 2 08:48:50 2026 EST
gpg: using EDDSA key 4D12A16824D53A993663D83788C58271FE1D3EDE
gpg: Good signature from "Jon Pellant (pellant.com LTS) <jon@pellant.com>" [ultimate]
This command told gpg to decrypt the signature (-d). The sig.asc is simply the filename that has the --clearsign message above. So this command found the the public key to that signature (in my keyring) and used it to retrieve the SHA-512 hash. It then computed the SHA-512 hash from the SIGNED MESSAGE portion and compared them. If I change the first letter ('i') in the SIGNATURE to a 'j' and try it, I get:
gpg: CRC error; 0E2E63 - 57A0EF
gpg: unknown S2K mode 22
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
So even a 1-bit change failed the authentication check.
So If I wanted to send a private email to someone:
I am going to be late for dinner, I have something secret to do.
Now if I type gpg --armor --encrypt --recipient wife@gmail.com --local-user jon@pellant.com, it produces the following text:
-----BEGIN PGP MESSAGE-----
hF4DOh4BHFWKqoASAQdAmQgbkMGzymRsFPt9YKRztej56XLfrfpLc3lzn6PfeTUw
ua+h7pOXVekXy4eKvPBqJevEyj+THXjv5dHT1fbxz3r9ge5VwaBKAxWwuzpPbnNg
1IIBCQIQFylQfpTSNcK9JWGSE2FPnXC8/LOrtFQGTnLFrELh41FIeisl0jw3bp7R
vKosp1ygmNcKVg5/6jbdnfiI8k7vYjlReCOh6UWadA2Wnz5U24u/Rn7HQH0ehgH4
d/2XzXtUcy7c3ZfL9AUhIdwuXRaUaTOixzXVEwaNlAav8Fhw
=2Z3s
-----END PGP MESSAGE-----
This will take millions of billions of years to crack with today's computers. This took my wife's public key and encrypted it. Now the only key that can open it is it's mate, or her private key. So when you share public keys, it allows people to validate message signed with your private key as well as encrypt things to you. A combination of signing and encrypting ensures that only the recipient can read it and they are assured it came from you.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZ9roKhYJKwYBBAHaRw8BAQdA3VJq+R5TJfCoFh+mwYshzT1ybuKfEWoUQTzk
5Rw0Il+0L0pvbiBQZWxsYW50IChwZWxsYW50LmNvbSBMVFMpIDxqb25AcGVsbGFu
dC5jb20+iJkEExYKAEEWIQRNEqFoJNU6mTZj2DeIxYJx/h0+3gUCZ9roKgIbAwUJ
B4TOAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCIxYJx/h0+3okXAP9Q
2daXGN4A62L91QVlAWnfXBAcbGT/jIHQgB7FJq4KuAEAqh/G+P9w+cbUtwM5TFyw
OzViIcHWEVtdDEt5QL2wrgm4OARn2ugqEgorBgEEAZdVAQUBAQdA8/zSiWgaWVDB
TxWbgfq27BTttz1XOrz3Gz6F9T4ZABADAQgHiH4EGBYKACYWIQRNEqFoJNU6mTZj
2DeIxYJx/h0+3gUCZ9roKgIbDAUJB4TOAAAKCRCIxYJx/h0+3kw1AQDzG8q0l7xG
cgDy9MOre3Wxl9caCiJygvh5MNKlzlXo3AD+Pe75GiXs7+tvWvvDMkD3dPkyrWem
Ul2ST4KqZ53psgg=
=hoqb
-----END PGP PUBLIC KEY BLOCK-----