Back to blogs
Written by
Ciara Nightingale
Published on
April 28, 2024

What is the Elliptic Curve Digital Signature Algorithm? - ECDSA Signatures

The Elliptic Curve Digital Signature Algorithm (ECDSA) is based on Elliptic Curve Cryptography (ECC) and is used to generate keys, authenticate, sign, and verify messages

Table of Contents

The Elliptic Curve Digital Signature Algorithm (ECDSA) is based on Elliptic Curve Cryptography (ECC) and is used to generate keys, authenticate, sign, and verify messages. Signatures provide a means for authentication in blockchain technology, allowing operations, such as sending transactions, to be verified that they have originated from the intended signer. But, how do they work and how are they created?

This article will teach you the basics of cryptography to understand the mechanisms underpinning authentication in Ethereum: ECDSA signatures, why they are used, how they work, and the different uses for ECDSA in Ethereum.

Authentication in Ethereum

Proof of ownership in Ethereum is achieved using public and private key pairs that are used to create digital signatures. Signatures are analogous to having to provide personal ID when withdrawing from the bank - the person needs to verify that they are the owner of the account.

This is known as public key cryptography (asymmetric encryption- more on this later) and is a cryptographic method that uses a key pair system:

  • The private key signs messages and is used to derive the public key
  • The public key is used to verify the private key.

It is difficult (for simplicity, can be assumed impossible) to calculate the private key from the public key, even for a computer (note that there is an exception to this assumption that will be discussed later). This means that knowledge of the private key grants access to the account whereas access to the public key does not.

These public and private key pairs define Ethereum externally owned accounts (EOAs) and provide a means for interacting with the blockchain by signing data and sending transactions, without others being able to access accounts they do not own. An Ethereum address is used as identification and is the last 20 bytes of the hash of the public key controlling the account.

What is a Signature?

Signatures provide a means of cryptographic authentication in blockchain technology, serving as a unique “fingerprint”, forming the backbone of blockchain transactions. They are used to validate computation performed off-chain and authorize transactions on behalf of a signer.

Digital Signature Creation Process

  • Creating signatures involves hashing the message and then combining this hash with the private key using the ECDSA algorithm; this process is referred to as signing a message.
  • Upon signing a message, a digital signature is generated, serving as a means to verify that the signer is indeed the intended account.
  • Each distinct message produces a unique hash, resulting in a correspondingly unique signature*.

*This is important when considering replay attacks. To prevent replay, each signature is required to be unique. This is achieved by including a nonce, or “number used once”, as part of the message. The majority of the time, the creation of digital signatures is abstracted away from the user, for example when signing a transaction in MetaMask. However, when implementing signatures into a smart contract, extra data, including a nonce and chain ID, should be added to the message to prevent replay. For more information on preventing replay attacks, refer to this comprehensive guide.

What is the elliptic curve digital signature algorithm?

The Elliptic Curve Digital Signature Algorithm (ECDSA) is a signature algorithm based on Elliptic Curve Cryptography (ECC). It is the cryptographic algorithm used to create keys and create and verify signatures used for authentication. It is useful to understand how it works on a high level in order to implement signature verification directly into smart contracts and understand how to ensure these smart contracts are secure.

The secp256k1 Elliptic Curve

The elliptic curve, secp256k1, is the specific curve used in ECDSA in Ethereum, chosen for its interoperability with Bitcoin, efficiency, and security. As with all elliptic curves, it is symmetrical about the x-axis. Therefore, for every (r,s,v) coordinate, more on what this means shortly, another coordinate exists that returns the same valid result. This means that two signatures exist for one signer at any point on the curve, allowing attackers to compute the second, valid signature without requiring the signer’s private key. This can lead to signature malleability which is a form of replay attack.

This curve can be visualized as:

graph of the curve of the What is the elliptic curve digital signature algorithm

Source: SECP256k1 curve

The secp256k1 curve has:

  • Generator point G is a specific point on the elliptic curve: (***x*** = 55066263022277343669578718895168534326250603453777594175500187360389116729240, ***y*** = 32670510020758816978083085130507043184471273380659243275938904335757337482424)
  • Order n of the subgroup of elliptic curve points, generated by G, which defines the length of the private keys (e.g. 256 bits) and is a prime number: 115792089237316195423570985008687907852837564279074904382605163141518161494337

It is not crucial to understand the meaning of these constants other than to understand that they exist and are used in subsequent calculations.

ECDSA Signatures Explained

Ethereum ECDSA signatures contain three integers: r, s, and v. The signature can be notated as (r, s, v):

  • r (integer in the range [1...n-1]): represents the x-coordinate on the elliptic curve based on a random point R on the curve.
  • s (integer ****in the range [1...n-1]): serves as proof of the signer’s knowledge of the private key p. s is calculated using a random unique nonce k, ensuring that the signature is unique every time.
  • The value v is used to recover public keys from the value of r and represents the index of the point on the elliptic curve used for the signature. The recovery process generates multiple solutions for the possible value of R. The addition of v specifies which solution is required.

For more information on ECDSA signatures, visit the Practical Cryptography for Developers documentation.

Elliptic curve digital signature algorithm in Ethereum

In Ethereum, ECDSA is used for the following:

  1. Key generation
  2. Signing messages
  3. Signature verification

Let’s go through how each of these works in more detail:

1. ECDSA Key Generation - How are Public and Private Keys Created?

An ECDSA key pair consists of the following:

  • A private key (integer) p: generated as a random integer in the range [0…n-1]
  • A public key (EC point): a point on the elliptic curve pubKey = p * G

The Elliptic Curve Discrete Logarithm Problem (ECDLP) - How Does ECDSA Ensure Security?

The signature (r, s, v) secures the private key due to the complexity of the Elliptic Curve Discrete Logarithm Problem (ECDLP). This problem involves finding an integer p (the private key) such that

pG = Q

where G is the Generator point and Q is the public key.

Given the public key and the generator point, it is computationally infeasible to derive the private key, therefore providing security for the ECDSA. One way to understand this is by taking two prime numbers and multiplying them together e.g.

134669 * 2467 = 332228423

Given the result, it would be very difficult (practically impossible) to calculate the input prime numbers, even for a computer. The exception to the assumption that this calculation is quantum computing. Quantum computing provides a way of solving this problem, thus compromising the security of ECDSA signatures by being able to extract the private key from the public key.

2. ECDSA signing - How are signatures created?

The ECDSA signing algorithm takes a message and a private key and produces a signature, a pair of integers (r, s).

The ECDSA signing algorithm works by:

  1. Calculating the message hash, using a cryptographic hash function e.g. SHA-256

h = hash(msg)

  1. Generating securely a random number k
  2. Calculating the random point R = k * G and take its x-coordinate: r = R.x
  3. Calculating the signature proof s using the formula:

s = k^-1 * (h + p * r) mod n

where p is the signer’s private key, and the order n

  1. Return the signature (r, s).

3. ECDSA Signature Verification - How Are Signatures Verified?

The ECDSA signature verification algorithm takes the signed message msg and the signature produced from the signing algorithm and the public key pubKey. The output is a boolean representing whether the signature is valid or invalid.

The ECDSA signature verification algorithm works by converting s back to R (R’) using the public key and message hash. The recovered R's x-coordinate r' is compared with r from the signature:

  1. Calculating the message hash, with the same hash function used when signing
  2. Calculating the modular inverse s1 of the signature proof:

s1 = s^-1 (mod n)

  1. Recovering the random point used during the signing:

R' = (h * s1) * G + (r * s1) * pubKey

  1. Retrieving r' from R': r' = R'.x
  2. Calculating the signature validation result by comparing whether r' == r

ecrecover is the EVM precompile that enables the retrieval of the signer's address of a message that has been signed using their private key using ECDSA. It allows smart contracts to verify the integrity of the signature and retrieve the signer.

Summary on the elliptic curve digital signature algorithm

The article serves as a comprehensive guide to ECDSA, covering its role in authentication, signature creation, and verification. It delves into the intricacies of key generation and the security aspects of asymmetric encryption. Understanding these concepts is vital for grasping the significance of signatures in smart contract security.

Secure your protocol today

Join some of the biggest protocols and companies in creating a better internet. Our security researchers will help you throughout the whole process.
Stay on the bleeding edge of security
Carefully crafted, short smart contract security tips and news freshly delivered every week.