There are many signatures in reality. Let me give you a simple example: For example, when you failed the exam when you were a child, the teacher often asked you to take the test paper and sign it for your parents to show your approval of your grades. Then this kind of signature may cause you to misidentify your father, and it is not easy for the teacher to verify your parent's signature.
Elliptic curve digital signatures are verifiable.
The formula and function image are as shown in the figure below.
4 a**3 + 27 b**2 != 0, which ensures that all points on the image have a unique tangent.
Basic operations on elliptic curve points.
Addition operation: A+B = C, then point C is a point that is symmetrical about the x-axis at the third point where the line AB intersects with the elliptic curve.
Assuming that A and B coincide, that is, the line is tangent to the elliptic curve and point A, then C = 2A, then point C is a point that is symmetrical about the x-axis at the second point where the tangent line of A and the elliptic curve intersect.
Addition is solved, multiplication is solved.
Okay, let's get to the point:
take a base point G (public).
Let the private key be a whole large positive integer S (not public)
so that the point P=SG, and P is the public key (public).
signing process
- go to a random number k
- Use this random number to generate a point R_, coordinates (x1, y1) = kG
- let r=x1
- Hash the information to be sent, m = hash(M)
- Let s = (m+rS)/k
- get recovery id v
- Then the signature is: {r , s , v}
Verify signature process
According to the signature information r, the point R is obtained. At this time, R has two values (because the function is symmetrical about the x-axis), and which one to choose depends on the recovery identifier v. The recovered R is equal to R_ during the signing process. (R = R_ = kG)
recovery formula (known: {m, {r , s , v}}): (-m/r) * G + (s/r) R recovery formula
values are all known values .
Then
if the calculated result P_ = P
then: the signature is true, otherwise it is false.
Due to the storage problem of the computer, when applying the algorithm, it needs to be mapped in a finite field, that is, modulo operation.
application
Assuming a scenario, there is a company doing promotion and sending gifts to member users for free. The company can express them to each user, but the company does not want to bear this part of the express fee. Then set up a self-pickup station, and member users can use the member ID. Self-pickup, not everyone can pick it up, only members who have signed the company can receive the gift.
Then the member ID at this time is the m in the face.
The following is a similar code implementation.
function claim(uint256 amountV, bytes32 r, bytes32 s) external {
uint256 amount = uint248(amountV);
uint8 v = uint8(amountV >> 248);
uint256 total = _totalSupply + amount;
require(total <= MAX_SUPPLY, "Exceed max supply");
require(minted(msg.sender) == 0, "Claimed");
bytes32 digest = keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32",
ECDSA.toTypedDataHash(_domainSeparatorV4(),
keccak256(abi.encode(MINT_CALL_HASH_TYPE, msg.sender, amount))
)));
require(ecrecover(digest, v, r, s) == cSigner, "Invalid signer");
_totalSupply = total;
_mint(msg.sender, amount);
}