Digital and Electronic Signatures — Authentication (Sections 3, 3A)

When the Information Technology Act, 2000 first set out to give legal weight to paperless transactions, it had to answer a deceptively simple question: in a world of copyable bits, how does one "sign" an electronic record so that the signature is both unique to the signer and impossible to forge undetected? The Act's answer lives in Chapter II. Section 3, as originally enacted, tied authentication to a single technology — the digital signature built on an asymmetric crypto system and a hash function. The 2008 Amendment then inserted Section 3A to widen the net, recognising electronic signatures through a technology-neutral standard. Together these two provisions form the gateway through which every later concept in the Act — secure records, certifying authorities, presumptions of integrity — must pass. This chapter unpacks the mechanics, the statutory text, and the case law that tells courts when an electronic signature actually proves anything.

Why authentication is the foundation of the Act

The entire architecture of the IT Act rests on a single move: equating a verified electronic act with a physical, pen-and-paper one. Section 4 gives electronic records the legal status of writing; Section 5 gives electronic signatures the legal status of a handwritten signature. But neither of those equivalence rules means anything unless there is a trustworthy way to bind a particular person to a particular record. That binding is what "authentication" supplies, and it is the work of Sections 3 and 3A.

Authentication in this context is not merely identifying who pressed a button. It must achieve three things at once: prove the identity of the signer, prove the integrity of the record (that it has not been altered after signing), and supply non-repudiation (so that the signer cannot later credibly deny having signed). A handwritten signature does the first poorly and the second and third hardly at all; a cryptographic digital signature, properly implemented, does all three. The Act's drafters therefore did not simply digitise the signature — they raised the evidentiary bar. Readers coming to this chapter fresh may want to revisit the introduction to the Act and the controlling definitions before going deeper, since the language of "subscriber", "key pair" and "affixing" is defined terminology, not loose description.

Section 3: the bare provision

Section 3 of the Act, headed "Authentication of electronic records", provides in sub-section (1) that subject to the provisions of the section, any subscriber may authenticate an electronic record by affixing his digital signature. Sub-section (2) states that the authentication of the electronic record shall be effected by the use of an asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.

The Explanation to sub-section (2) defines a "hash function" as an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as the "hash result", such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input, making it computationally infeasible (a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm, and (b) that two electronic records can produce the same hash result using the algorithm.

Sub-section (3) provides that any person by use of a public key of the subscriber can verify the electronic record, and sub-section (4) provides that the private key and the public key are unique to the subscriber and constitute a functioning key pair. Note that the verb in the section is "may" — Section 3 is enabling, not mandatory; it permits a subscriber to use a digital signature, it does not compel anyone to sign electronically at all.

The cryptographic mechanics behind a digital signature

To read Section 3 with understanding, one must grasp what asymmetric cryptography actually does. In a symmetric system, the same secret key both locks and unlocks a message, which is useless for signatures because both parties would need to share the secret. An asymmetric crypto system — defined in Section 2(1)(f) as a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify it — solves this by using two mathematically linked but distinct keys. What one key locks, only the other can unlock.

The signing process works in two stages. First, the record is passed through the hash function, producing a short, fixed-length "digest" that is unique to that exact record; change even a single character and the digest changes completely. Second, the signer encrypts that digest with his private key, which he alone controls. The encrypted digest, appended to the record, is the digital signature. Verification reverses this: anyone holding the signer's public key decrypts the digest, independently re-hashes the received record, and compares the two. If they match, two things are proven simultaneously — the signature was created by the holder of the matching private key (identity and non-repudiation), and the record has not changed since signing (integrity). This dual proof is precisely why the statute insists on "asymmetric crypto system and hash function" together; neither alone delivers both guarantees.

"Digital signature" as a defined term

It is a common error to treat "digital signature" and "electronic signature" as synonyms. The Act does not. Section 2(1)(p) defines "digital signature" as the authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of Section 3. The phrase "in accordance with the provisions of Section 3" is load-bearing: a digital signature is, by definition, the specific asymmetric-key-and-hash technique of Section 3 and nothing else.

By contrast, "electronic signature" is defined in Section 2(1)(ta) as authentication of an electronic record by a subscriber by means of the electronic technique specified in the Second Schedule, and includes a digital signature. The relationship is therefore one of genus and species: every digital signature is an electronic signature, but not every electronic signature is a digital signature. This taxonomy matters for litigation, because the evidentiary presumptions and the certifying-authority framework attach to defined categories, not to the colloquial idea of "signing online". The species-genus point flows directly into Section 3A, examined below.

Section 3A: the 2008 shift to technology neutrality

Section 3 had a structural weakness — it hard-wired one technology into the statute. If asymmetric cryptography were superseded, or if a citizen wished to sign using a different reliable method (say, an Aadhaar-based one-time-password flow), Section 3 simply had no room for it. The Information Technology (Amendment) Act, 2008, with effect from 27 October 2009, cured this by inserting Section 3A and re-titling the chapter to embrace "Electronic Signature".

Section 3A(1) provides that, notwithstanding anything contained in Section 3, but subject to the provisions of the sub-section, a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which (a) is considered reliable, and (b) may be specified in the Second Schedule. Sub-section (2) then lays down the reliability test: an electronic signature or technique is reliable if — the signature creation data or authentication data are, in the context used, linked to the signatory or authenticator and to no other person; those data were, at the time of signing, under the control of the signatory or authenticator and of no other person; any alteration to the electronic signature made after affixing it is detectable; any alteration to the information made after its authentication is detectable; and it fulfils such other conditions as may be prescribed. Sub-section (3) empowers the Central Government to prescribe the procedure for ascertaining whether the technique is reliable, and sub-section (4) provides that the Central Government may, by notification in the Official Gazette, add to or omit any electronic signature or technique from the Second Schedule, with every such notification laid before each House of Parliament.

Section 3 versus Section 3A: a structured comparison

The two provisions are best understood side by side. Section 3 is technology-specific: it names one method (asymmetric crypto plus hash) and is mandatory in form for anyone who wants the label "digital signature". Section 3A is technology-neutral: it sets functional criteria of reliability and lets the executive populate the Second Schedule with whatever techniques meet them. Section 3 was part of the Act from its commencement on 17 October 2000; Section 3A arrived only with the 2008 Amendment.

Crucially, Section 3A opens with a non-obstante clause — "notwithstanding anything contained in Section 3" — which means the electronic-signature route operates independently of, and is not subordinated to, the digital-signature route. A subscriber may choose either. The reliability conditions in Section 3A(2) are, in substance, a statutory restatement of the same four functions the cryptographic model achieves automatically: sole linkage to the signer, sole control at the moment of signing, tamper-evidence of the signature, and tamper-evidence of the signed content. Where Section 3 guarantees those properties through mathematics, Section 3A demands that any rival technique demonstrate them functionally before it earns a place in the Schedule. This is why the framework is sometimes described as "functional equivalence" rather than "technical prescription".

The Second Schedule and Aadhaar eSign

Section 3A would be a dead letter without entries in the Second Schedule, and for years it largely was. That changed with the Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015, notified by G.S.R. 61(E) dated 27 January 2015 under the powers conferred by Section 3A. These Rules, read with the corresponding amendment to the Second Schedule, recognised the e-authentication technique using Aadhaar e-KYC services — the basis of "Aadhaar eSign".

Aadhaar eSign lets an individual sign a document online by authenticating against the UIDAI database, typically via a one-time password sent to the Aadhaar-linked mobile number. Behind the scenes a licensed Certifying Authority, acting as an eSign Service Provider, generates a key pair and a short-validity certificate on the fly, so the output is still a cryptographic signature — but the user experience requires no physical USB token. This is the practical bridge between Section 3A's neutral standard and Section 3's cryptographic guarantee. The licensing and supervision of the entities that issue these signatures is governed by the regime examined in certifying authorities — licensing and functions, and the heightened legal status that attaches to properly secured signatures is treated in secure electronic records and signatures.

Legal recognition: Section 5 and the equivalence rule

Sections 3 and 3A define how to authenticate; Section 5 supplies the consequence. Section 5 provides that where any law requires that information or any matter shall be authenticated by affixing the signature, or that any document shall be signed or bear the signature of any person, then, notwithstanding anything contained in that law, such requirement shall be deemed to have been satisfied if such information or matter is authenticated by means of an electronic signature affixed in such manner as may be prescribed by the Central Government.

The phrase "notwithstanding anything contained in such law" is what gives a Section 3 or 3A signature its bite across the whole statute book: a validly affixed electronic signature satisfies signature requirements in other Acts unless those transactions are excluded by the First Schedule (negotiable instruments other than cheques, powers of attorney, trusts, wills and certain property conveyances were historically excluded). Section 5 is, in effect, the destination to which Sections 3 and 3A are the road. Without it, a digital signature would be technically sound but legally inert.

Secure electronic signatures: Section 15

The Act draws a sharp line between an electronic signature that is merely valid and one that is secure. Section 15, as substituted by the 2008 Amendment, provides that an electronic signature shall be deemed to be a secure electronic signature if (i) the signature creation data, at the time of affixing the signature, was under the exclusive control of the signatory and no other person, and (ii) the signature creation data was stored and affixed in such exclusive manner as may be prescribed.

This distinction is not academic. The label "secure" triggers the evidentiary presumptions discussed in the next section. A run-of-the-mill electronic signature carries no automatic presumption of authenticity; a secure electronic signature does. In practice, a digital signature created with a private key held on a tamper-resistant token, or an Aadhaar eSign generated under the prescribed controls, is engineered precisely to satisfy the "exclusive control" requirement of Section 15 and thereby cross from the merely valid into the secure category.

Evidentiary presumptions: Sections 85A, 85B and 85C

The authentication regime is mirrored on the evidence side. Section 85B of the Indian Evidence Act, 1872 provided that in any proceeding involving a secure electronic record, the court shall presume, unless the contrary is proved, that the secure electronic record has not been altered since the point of time to which the secure status relates; and in any proceeding involving a secure digital (electronic) signature, the court shall presume, unless the contrary is proved, that the signature was affixed by the subscriber with the intention of signing or approving the electronic record. The sting is in the closing words: except for secure records and secure signatures, the section creates no presumption as to authenticity or integrity.

Section 85A presumes the conclusion of certain electronic agreements bearing electronic signatures, and Section 85C presumes the correctness of information in a Digital Signature Certificate that the subscriber has accepted. With the coming into force of the Bharatiya Sakshya Adhiniyam, 2023 on 1 July 2024, these presumptions have been carried forward in substantially the same terms (the secure-record and secure-signature presumptions now appearing in the corresponding sections of the new Sakshya Adhiniyam). The doctrinal point endures: the law rewards the extra discipline of a secure signature with a shifted burden of proof.

Case law: admissibility and the Section 65B / Section 63 certificate

Although Sections 3 and 3A govern how signatures are created, the cases that most often shape their practical force concern how electronic records are proved in court. The leading authority is Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473, where a three-Judge Bench held that the certificate under Section 65B(4) of the Evidence Act is a condition precedent to the admissibility of secondary electronic evidence, and expressly overruled the contrary view in State (NCT of Delhi) v. Navjot Sandhu, (2005) 11 SCC 600, the Parliament Attack case, which had permitted proof of electronic records by ordinary secondary-evidence routes.

The position was briefly muddied by Shafhi Mohammad v. State of Himachal Pradesh, (2018) 2 SCC 801, a two-Judge Bench which suggested the certificate could be dispensed with where the party did not possess the device. That relaxation was disapproved by the larger Bench in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1, which reaffirmed Anvar P.V., held the Section 65B(4) certificate mandatory for secondary electronic evidence, clarified that no certificate is needed where the original device is itself produced and proved, and overruled Shafhi Mohammad. Following the repeal of the Evidence Act, the same scheme now lives in Section 63 of the Bharatiya Sakshya Adhiniyam, 2023, which retains and refines the certificate requirement. For the author of an electronic record, the lesson is that a cryptographically sound signature is necessary but not sufficient — the procedural certificate must accompany the record into evidence.

Case law: electronic records and contract formation

On the contract side, the Supreme Court in Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., (2010) 3 SCC 1, confirmed that a binding contract can be concluded purely through the exchange of e-mails, even in the absence of a signed formal contract document. After intensive e-mail negotiations, the Court treated the moment of unconditional acceptance communicated by e-mail as the moment of conclusion, holding that the mere absence of a signed formal contract did not affect either the unconditional acceptance or its implementation.

Although Trimex turned on the law of contract rather than on Section 3 directly, it is doctrinally important here because it demonstrates that Indian courts treat authenticated electronic communications as legally operative acts. The IT Act's authentication machinery and the general law of contract thus reinforce each other: Section 5 supplies the equivalence rule, Sections 3 and 3A supply the technique, and decisions like Trimex confirm that courts will give the resulting electronic acts full legal effect. For the broader treatment of when an electronic record is deemed to have been sent, received and attributed to a party, see attribution, acknowledgment and dispatch of electronic records.

Practical and exam takeaways

For the judiciary or CLAT-PG aspirant, a handful of distinctions reliably appear in questions. First, keep the genus and species straight: electronic signature is the genus (Section 3A, Second Schedule), digital signature is one species within it (Section 3, asymmetric crypto plus hash). Second, remember the chronology — Section 3 from 2000, Section 3A and the renamed chapter from the 2008 Amendment effective 27 October 2009. Third, the four reliability conditions of Section 3A(2) — sole linkage, sole control, signature tamper-evidence, content tamper-evidence — are frequently asked verbatim.

Fourth, do not confuse valid with secure: the presumptions of Section 85B (and its Sakshya Adhiniyam successor) attach only to secure records and secure signatures, which require the exclusive-control test of Section 15. Fifth, on the evidence side, the line of authority runs Navjot Sandhu (permissive, overruled) → Anvar P.V. (certificate mandatory) → Shafhi Mohammad (relaxation, overruled) → Arjun Panditrao Khotkar (certificate mandatory, original-device exception), now codified in Section 63 BSA. Holding these threads together — the creation rules in Sections 3 and 3A, the equivalence rule in Section 5, the security upgrade in Section 15, and the proof rules in the evidence statute — is what turns a list of sections into a working understanding of how electronic signatures actually operate. Readers can consolidate the wider framework via the Information Technology Act notes hub.