1 Introduction
Preface blog:
ECDSA, the full name of Elliptic curve Digital Signature Algorithm, is a digital signature algorithm implemented by Elliptic curve cryptography.
Public and private key pair (pk, P) (pk,P)(pk,P ) , where the public keyP = pk × GP=pk\times GP=pk×G,GGG is the base point of the selected elliptic curve. (elliptic curve base point: a point on the curve that generates a subgroup of large prime ordernnn。 n × G = O n\times G=\mathcal{O} n×G=O ,O \mathcal{O}O is the identity element。)
1.1 ECDSA signature
ECDSA message mmThe signature process of m is:
- 1) Calculate message mmHash value of m : e = hash (m) e=hash(m)e=ha s h ( m ) . (
hashThe function can be SHA-2 and the output converted to a numeric value.) - 2) If group order nnThe bit length of n is L n L_nLn, then take eee value leftmostL n L_nLnAssign bits to zzz。 (note,zzThe z value can be smaller thannnn is larger, but the bit length cannot be larger thannnThe length of n . )
- 3) Select random number k ∈ R [1, n − 1] k\in_R [1,n-1]k∈R[1,n−1 ] . (Note, do not trust general random number generators, because bad RNG has too many failures and vulnerabilities, you can useRFC6979according topk pkp k andmmm to calculate deterministickkk . ) (For example: In August 2013, the Android Bit0coin wallet used an incorrect random number generator, causing the private key to be leaked, resulting in a loss of funds; in December 2010, the Sony PS3 game console incorrectly used static instead of random.kkk value, causing its ECDSA private key to be leaked. )
- 4)计算curve point ( x 1 , y 1 ) = k × G (x_1,y_1)=k\times G (x1,y1)=k×G。
- 5) Calculate r = x 1 mod nr=x_1\mod nr=x1modn , ifr = 0 r=0r=0 , then jump and continue to step 3).
- 6) Calculate s = ( z + r ⋅ pk ) / kmod ns=(z+r\cdot pk)/k \mod ns=(z+r⋅p k ) / kmodn , ifs = 0 s=0s=0 , then jump and continue to step 3).
- 7) The final signature is ( r , s ) (r,s)(r,s ) . (Note that( r , − smod n ) (r,-s\mod n)(r,−smodn ) is also a valid signature. )
[According toBIP-62andEIP-2 , in order to solve the malleability problem of ECDSA signature, the ss in the signature can bes value is constrained andssThe s value is not higher than half of the curve order. 】
Throughout the ECDSA signature process, it is required:
- k k The k value should be secret.
- Different signatures should choose different kkk value, otherwise the private keypk pkpk。
1.2 ECDSA signature verification
For the received signature ( r , s ) (r,s)(r,s ) , using the public keyPPThe process of P’s signature verification is:
- 1) Verify public key PPP is not equal to identity elementO \mathcal{O}O , and its coordinates are valid.
- 2) Verify public key PPP lies on the curve。
- 3) Verify public key PPThe order of P isnnn,即n × P = O n\times P=\mathcal{O}n×P=O。
- 4) Verify signature ( r , s ) (r,s)(r,s ) is valid, that is, it satisfiesr ∈ [ 1 , n − 1 ] , s ∈ [ 1 , n − 1 ] r\in [1,n-1],s\in [1,n-1]r∈[1,n−1],s∈[1,n−1]。
- 5) Calculate message mmThe hash value of m and the function used
hashshould be consistent with the signature. e = hash ( m ) e=hash(m)e=hash(m)。 - 6) TakeeeThe leftmostL n L_n of eLnAssign bits to zzz。
- 7)计算 u 1 = z / s m o d n , u 2 = r / s m o d n u_1=z/s\mod n,u_2=r/s\mod n u1=z/smodn,u2=r/smodn。
- 8)计算curve point ( x 1 , y 1 ) = u 1 × G + u 2 × P (x_1,y_1)=u_1\times G+u_2\times P (x1,y1)=u1×G+u2×P. _ Waka( x 1 , y 1 ) = O (x_1,y_1)=\mathcal{O}(x1,y1)=O , the signature is invalid.
- 9)若 r ≡ x 1 ( m o d n ) r\equiv x_1(\mod n) r≡x1(modn ) is established, the signature is valid, otherwise the signature is invalid.
Note that the above ECDSA signature verification algorithm can be improved as follows:
- Calculate only once 1/smod n 1/s\mod n1/smodn。
- 使用Shamir’s trick,a sum of two scalar multiplication u 1 × G + u 2 × P u_1\times G+u_2\times P u1×G+u2×P can be calculated faster than two scalar multiplications done independently。(参考2014年论文《The Double-Base Number System in Elliptic Curve Cryptograhy》)
The general signature and verification process of ECDSA can be shown as follows:
1.3 ECDSA的public key recovery
ECDSA also supports the public key recovery algorithm, provided that the signer's public key or public key hash value is known in advance, otherwise incorrect public key information may be recovered.
Ethereum implements the ecrecover precompiled contract at address 0x01, and its function prototype is:
function ecrecover(bytes32 hash, bytes8 v, bytes32 r, bytes32 s) returns (address);
ecrecoverWill return the address obtained by calculating the ECDSA recovery function based on the given signature.
An example call in the solidity contract is:
function recoverSignerFromSignature(uint8 v, bytes32 r, bytes32 s, bytes32 hash) external {
address signer = ecrecover(hash, v, r, s);
require(signer != address(0), "ECDSA: invalid signature");
}
In an Ethereum transaction, the last 65 bytes are the ecdsa signature, in order:
- 32 bytes of rrr
- 32 bytes sss
- 1 byte vvv : wherevvv is the recovery identifier. According to the Ethereum Yellow Paper,vvThe value range of v is 27~30 (ie 0x1b~0x1e).
References
[1] What is ecrecover in Solidity?
[2] Ethereum Virtual Machine (EVM) ECRECOVER PRECOMPILED CONTRACT
[3] Ethereum Digital Signatures
[4] ECRecover and Signature Verification in Ethereum
[5] ECDSA Malleability
[6] Precompiled
[7] ECDSA: Elliptic Curve Signatures