To create a digital signature with ECDSA, a sender uses their private key to generate a unique “signature” for the message. The signature is then attached to the message, which can be verified by anyone who has the corresponding public key. This allows recipients to verify that the message was indeed sent by the owner of the private key and that it hasn’t been tampered with.
ECDSA uses cryptographic elliptic curves over finite fields specified by various standards such as SECG: SEC 2 and Brainpool (RFC 5639). These curves define a generator point G, used for scalar multiplication on the curve, and an order n of the subgroup of EC points generated by G. The length of private keys is defined by the number of bits in n.
The ECDSA sign/verify algorithm relies on EC point multiplication and works as follows:
1. Hash the message to get a hash value h.
2. Choose a random integer k between 0 and n-1 (inclusive).
3. Calculate r = (h + k * privKey) mod n, where privKey is the sender’s private key.
4. If r equals zero or if there exists an integer j such that h + k * privKey = j * G mod n and j != 0, then go back to step 2 and choose a new random value for k. This ensures that the signature is unique and cannot be easily guessed by attackers.
5. Calculate s as (k^-1) mod n using the extended Euclidean algorithm or some other method. If k was chosen randomly, then there exists an integer x such that k * x = 1 mod n. This can be used to calculate s: s = x * h mod n.
6. The signature is {r, s}.
7. To verify the signature, hash the message and compute r’ as (h + privKey * sign[0]) mod n. If r’ equals sign[0], then go back to step 2 with a new random value for k. This ensures that the verification process cannot be easily bypassed by attackers.
8. Calculate s’ as (privKey^-1) mod n using the extended Euclidean algorithm or some other method. If privKey was chosen randomly, then there exists an integer x such that privKey * x = 1 mod n. This can be used to calculate s’: s’ = x * sign[1] mod n.
9. The signature is valid if r’ equals sign[0] and (h + privKey * sign[0]) mod n equals (s’ * G) mod n, where G is the generator point of the elliptic curve used for signing.
ECDSA keys and signatures are shorter than in RSA for the same security level. A 256-bit ECDSA signature has the same security strength as a 3072-bit RSA signature. This makes ECDSA an attractive choice for resource-constrained environments such as embedded systems or mobile devices.
ECDSA also allows public key recovery from signatures, which is useful in bandwidth and storage constrained environments such as blockchain systems. The extended ECDSA signature {r, s, v} can be used to recover the signer’s public key with confidence. This feature makes it possible to verify signatures without storing or transmitting the public keys separately.