Open In App

Blockchain – Elliptic Curve Digital Signature Algorithm (ECDSA)

Last Updated : 29 Nov, 2022
Like Article

Blockchain is the underlying technology of the virtual currency BitCoin. The blockchain is a distributed database that stores records of all transactions or digital events that have occurred and are shared among participants. 

The majority of system participants confirm each transaction. It contains every single transaction record. Bitcoin is the most well-known cryptocurrency and a blockchain example. Some examples of blockchains are:

  1. Public Blockchain: It is a permissionless public ledger on which anyone may join and transact and it is a non-restrictive version of the ledger, with a copy for each peer. This also implies that anyone who has internet access can connect to the public Blockchain.
  2. Private Blockchain: A blockchain network works in a private setting, such as a confined network, or is managed by a single identity and they are frequently run on a local network within a company or organization rather than being available to anybody who wishes to donate computing power.
  3. Hybrid Blockchain: Companies who want the best of both worlds employ a hybrid blockchain, which incorporates the benefits of both private and public blockchains and it allows businesses to build a private, authorization system alongside a public, permissionless system, letting them choose who has access to specific data and what data is made public.
  4. Consortium Blockchain: A consortium blockchain’s consensus procedures are controlled by predetermined nodes. A validator node is in charge of initiating, collecting, and validating transactions. Member nodes can initiate or receive transactions.

What is ECDSA?

The Elliptic Curve Digital Signature Algorithm is a Digital Signature Algorithm (DSA) that uses elliptic curve cryptography keys. It is a very efficient equation that is based on cryptography with public keys. ECDSA is utilized in many security systems, is popular in encrypted messaging apps, and is the foundation of Bitcoin security (with Bitcoin “addresses” serving as public keys).

Elliptic Curve Digital Signature Algorithms (ECDSA) have recently received significant attention, particularly from standards developers, as alternatives to existing standard cryptosystems such as integer factorization cryptosystems and discrete logarithm problem cryptosystems. In security applications, crypto-algorithms are always the most significant fundamental tool.

Digital Signature of ECDSA

A digital signature is an electronic equivalent of a handwritten signature that allows a receiver to persuade a third party that the message was indeed sent by the sender. Handwritten signatures are substantially less secure than digital signatures. A digital signature cannot be forged in any way. Another advantage of digital signatures over handwritten signatures is that they apply to the entire message. 

Every part of the digital message is affected by the signature key. On the bottom of a paper document, a handwritten signature is applied. Nothing prohibits the text displayed above the penned signature from being altered while the signature remains unaltered. Digital signatures do not allow for such changes. Today’s digital signature methods can be categorized based on a mathematical issue that provides the foundation for their security:

  • Integer Factorization (IF) Schemes: They rely their security on the integer factorization problem’s intractability. RSA Signature Schemes are one example.
  • Discrete Logarithm (DL) Schemes: Their security is based on the intractable nature of the discrete logarithm challenge in a finite field.
  • Elliptic Curve (EC) Schemes: They rely their security on the elliptic curve discrete logarithm problem’s intractability. The Elliptic Curve Digital Signature Algorithm, for example, is being used in this investigation and without a doubt the most recent of the many designs.

Domain Parameter of ECDSA

An elliptic curve E defined over a discrete space Fq with characteristic p and a base point G Domain parameters might be distributed by a group of entities or unique to a single user.

Domain parameter generation methods:

One method for generating cryptographically safe domain parameters is as follows:

  • Step 1: Select coefficients a and b from Fq verifiable using a random method.
  • Step 2: Compute the value of Number N.
  • Step 3: Verify N is divisible by the large prime number if not go to step 1.
  • Step 4: Verify N does not divisible by qk -1 for each k where k ranges from 1 to 20.
  • Step 5: Verify N is not equal to q if not then go to step 1.
  • Step 6: Select an arbitrary point G’∈ Nq and set G=(N/n).

Domain parameter validation:

Validation of domain parameters ensures that the domain parameters have the necessary arithmetic features. In practice, domain parameter validation is performed for two reasons:

  1. To prevent the intentional insertion of erroneous domain parameters, which may enable some attacks
  2. To detect inadvertent coding or transmission mistakes.

The use of an improper set of domain parameters can render all intended security attributes null and void. A concrete (though implausible) attack that can be conducted if domain parameter validation for a signature scheme is not done was demonstrated. The attack is directed at a key agreement protocol that uses the ElGamal signature technique.

Steps for domain parameter validation:

  • Step 1: usage of a specific algorithm is used to do explicit domain parameter validation.
  • Step 2: D is generated by A utilizing a trustworthy system.
  • Step 3: A obtains confirmation from a trusted party T, a certification authority, that T validated D’s explicit domain parameters using a specified Algorithm.
  • Step 4: A obtains assurance from a trustworthy third party T that D was generated using a trustworthy system.

ECDSA key pair

An ECDSA key pair is linked to a specific set of EC domain settings. The public key is a randomly generated multiple of the base point, whereas the private key is the integer used to generate the multiple points.

Key pair generation:

The key pair of entity A is associated with a certain set of EC domain parameters D = (q, FR, a, b, G, n, h). This relationship can be ensured cryptographically (e.g., with certificates) or contextually (e.g., by using the same domain parameters by all organizations). Prior to key generation, entity A must be confident that the category parameters are correct.
Creation of an ECDSA key pair. Every item A does these things:

  1. Choose an integer d at random or a pseudo-random number within the range [1, n1].
  2. Determine Q = dG.
  3. A’s private key is d, and A’s public key is Q.

Algorithm for explicit validation of an ECDSA public key:

Input for the algorithm:  A public key Q=(xQ, yQ) associated with valid domain parameters (q, FR, a, b, G,n,h).

Output for the algorithm: Acceptance or rejection of the validity of h.

  1. Check that Q does not equal O.
  2. Check that xQ and yQ are properly represented elements of  Fq(i.e., integers in the interval |0, p-1| in case q = p, and bit strings of length A  bits in the case q = 2m).
  3. Check that h lies on the elliptic curve defined by a and b.
  4. Check that nQ = O.
  5. If any check fails, then Q is invalid; otherwise Q is valid

 Proof of Possession of a Private Key:

  • An organization can assert that signed messages came from it if it can certify another entity’s public key as being its own. To prevent this, before the CA verifies the public key as belonging to A, it should demand that all entities show proof of ownership of the private keys that match their public keys.
  • It should be noted that private key possession evidence offers distinct guarantees from public key verification. The former proves that a private key is in your possession even though it might correlate to an invalid public key, whereas the latter proves that a public key is legitimate but that you do not own the associated private key. With both, a great level of assurance is offered.

ECDSA Signature Generation

The steps for creating and verifying signatures with the ECDSA are described in this section. An entity A with domain attributes D=(q, FR, a, b, G, n, h) and associated key pair (d, Q) performs the following actions to sign a message m.

  1. Select a random or pseudo-random integer k, where k ranges from 1 to n c – 1.
  2. Transform x1 to an integer by computing kG = (x1, y1).
  3. Compute r = x1 mod n and if r = 0 then go to step 1.
  4. Compute k – 1 mod n.
  5. Compute s = k – 1(e + dr) mod n. If s is equal to 0 then follow step 1.
  6. The message m bears the signature of A. (r,s).

ECDSA Signature Verification

B receives an authentic copy of A’s domain parameters D = (q, FR, a, b, G, n, h) and related public key Q in order to validate A’s signature (r, s) on m. It is advised that B verifies D and Q as well. Next, B performs the following:

  1. Check if the integers r and s fall inside the range [1, n – 1].
  2. Transform the bit string to a number e and perform SHA – 1(m).
  3. Compute w = s-1 mod n.
  4. Compute u1 = ew mod n and u2 = rw mod n.
  5. Compute X = u1G + u2Q.
  6. If X = O, then reject the signature. If not, compute v = x1 mod n and convert X’s x coordinate x1 to an integer.
  7. Accept the signature if and only if v = r.

Security Consideration

In August 2013, it was discovered that errors in some Java class Secure Random implementations occasionally caused collisions in the k value. The same exploit that was used to expose the PS3 signing key on certain Android app implementations, which use Java and depend on ECDSA to authenticate transactions, allowed hackers to retrieve private keys giving them the same authority over bitcoin transactions as legitimate key owners.

  • ECDSA’s security goal is to be existentially unforgeable in the face of a chosen-message attack. 
  • Aside from obtaining signature on a selection of messages (excluding A), the objective of an adversary launching such an assault against a legitimate business is to obtain a valid signature on a single message A.

Brown has shown that ECDSA itself is secure under the assumption that an underlying group is a generic group and that the hash function employed is collision-resistant. The following categories can be used to group potential ECDSA attacks:

  1. The Attack on the Discrete Logarithm Problem for Elliptic Curves.
  2. Attacks on the hashing algorithm used.
  3. Other types of attacks. 

The Attack on the Discrete Logarithm Problem for Elliptic Curves:

  • Baby step giant step algorithm: This algorithm is a period compromise of the exhaustive search technique. In the worst case, it runs for about steps and needs storage for about points.
  •  PARALLELIZED POLLARD’S RHO ALGORITHM Parallelized pollard’s RHO algorithm-Pollard’s rho algorithm can be parallelized, as demonstrated by Van Oorschot and Wiener so that when the procedure is executed in parallel on H processors, the predicted running time is around 16 steps. That is, a speedup of H times occurs when H processors are used.
  •  Other classes of elliptic curves are excluded from the assault. Therefore, one can simply confirm that the Semaev-Smart-Satoh-Araki attack does not apply by ensuring that the amount of points on an elliptic curve is not equal to the attribute values of the underlying field.

Attacks on the hashing algorithm:

  • If SHA-1 is not preimage-resistant, attacker E might be able to forge the signatures of A in the manner shown below. A random number l is chosen by E, and r is calculated as the x coordinates of Q+lG reduced modulo n. E determines e=rl mod n and sets s=r. A valid signature for message m is (r,s) if E can locate a message m such that e=SHA-1(m).
  • Finding a collision for SHA-1 is the quickest way currently known for attacking ECDSA by making use of SHA-1’s features. However, keep in mind that regardless of the magnitude of the principal security parameter n, this attack sets an upper bound on the security level of ECDSA.
  • In this scenario, discovering collision for H1 and attacking ECDSA by solving the ECDLP both take about the same amount of time. The new family will offer 256,384 and 512-bit output lengths.

Other types of Attacks:

  • Duplicate-Signature key selection: It appears that ECDSA no longer possesses the DSKS property if one requires that the generating point be chosen verifiably at random during domain parameter creation (using a technique similar to that in 5.2 for generating elliptic curves verifiably at random). It must be underlined that having the DSKS characteristic does not make the signature scheme insecure.
  • Implementation Attack: The attacks that might be used against ECDSA implementations, such as timing attacks, differential fault analysis, differential power analysis, and attacks that make use of weak or fake random numbers, are not covered by ANSI X9.62.

Implementation of ECDSA

Prerequisite: Basics of python programming language, basics of cryptography techniques, and Elliptic Curve Cryptography.

Below is the python program to implement ECDSA:


# Python program to implement
p = pow(2, 255) - 19
base = 15112221349535400772501151409588531511454012693041857206046113283949847762202, 46316835694926478169428394003475163141307993866256225615783033603165251855960
# Function for finding positive modulus
# of the number
def findPositiveModulus(a, p):
    if a < 0:
        a = (a + p * int(abs(a)/p) + p) % p
    return a
# Function for typecasting from
# string to int
def textToInt(text):
    encoded_text = text.encode('utf-8')
    hex_text = encoded_text.hex()
    int_text = int(hex_text, 16)
    return int_text
# Function to find greatest
# common divisor(gcd) of a and b   
def gcd(a, b):
    while a != 0:
        a, b = b % a, a
    return b
# Function to find the modular inverse
# of a mod m
def findModInverse(a, m):
    if a < 0:
        a = (a + m * int(abs(a)/m) + m) % m
    # no mod inverse if a & m aren't
    # relatively prime
    if gcd(a, m) != 1:
        return None
    # Calculate using the Extended
    # Euclidean Algorithm:
    u1, u2, u3 = 1, 0, a
    v1, v2, v3 = 0, 1, m
    while v3 != 0:
        # // is the integer division operator
        q = u3 // v3
        v1, v2, v3, u1, u2, u3 = (u1 - q * v1), (u2 - q * v2), (u3 - q * v3), v1, v2, v3
    return u1 % m
def applyDoubleAndAddMethod(P, k, a, d, mod):
    additionPoint = (P[0], P[1])
    # 0b1111111001
    kAsBinary = bin(k)
    # 1111111001
    kAsBinary = kAsBinary[2:len(kAsBinary)]
    # print(kAsBinary)
    for i in range(1, len(kAsBinary)):
        currentBit = kAsBinary[i: i+1]
        # always apply doubling
        additionPoint = pointAddition(additionPoint, additionPoint, a, d, mod)
        if currentBit == '1':
            # add base point
            additionPoint = pointAddition(additionPoint, P, a, d, mod)
    return additionPoint
# Function to calculate the point addition
def pointAddition(P, Q, a, d, mod):
    x1 = P[0]; y1 = P[1]
    x2 = Q[0]; y2 = Q[1]
    x3 = (((x1*y2 + y1*x2) % mod) * findModInverse(1+d*x1*x2*y1*y2, mod)) % mod
    y3 = (((y1*y2 - a*x1*x2) % mod) * findModInverse(1- d*x1*x2*y1*y2, mod)) % mod
    return x3, y3
# ax^2 + y^2  = 1 + dx^2y^2
# ed25519
a = -1; d = findPositiveModulus(-121665 * findModInverse(121666, p), p)
# print("curve: ",a,"x^2 + y^2 = 1 + ",d,"x^2 y^2")
x0 = base[0]; y0 = base[1]
print("Key Generation: ")
# privateKey = 47379675103498394144858916095175689
# 779086087640336534911165206022228115974270 #32 byte secret key
import random
privateKey = random.getrandbits(256) #32 byte secret key
# print("private key: ",privateKey)
publicKey = applyDoubleAndAddMethod(base, privateKey, a, d, p)
print("public key: ", publicKey)
message = textToInt("Hello, world!")
# Function for hashing the message
def hashing(message):
    import hashlib
    return int(hashlib.sha512(str(message).encode("utf-8")).hexdigest(), 16)
# ---------------------------------------
# sign
r = hashing(hashing(message) + message) % p
R = applyDoubleAndAddMethod(base, r, a, d, p)
h = hashing(R[0] + publicKey[0] + message) % p
# % p
s = (r + h * privateKey)
print("message: ",message)
print("Signature (R, s)")
print("R: ",R)
print("s: ",s)
# -----------------------------------
# verify
h = hashing(R[0] + publicKey[0] + message) % p
P1 = applyDoubleAndAddMethod(base, s, a, d, p)
P2 = pointAddition(R, applyDoubleAndAddMethod(publicKey, h, a, d, p), a, d, p)
print("P1: ",P1)
print("P2: ",P2)
if P1[0] == P2[0] and P1[1] == P2[1]:
    print("The Signature is valid")
    print("The Signature violation detected!")
# ----------------------------------


...blic key:  (26918120103361800085773610577277667031376341423486858590551694398978343506914, 41571789812029741664733875508966147477834661168851922521484251069546513750379)
message:  5735816763073854953388147237921
Signature (R, s)
R:  (17398582206386920242697161388728121547970811789911961114394435433884805588241, 4477075765930951269674344356261240319783403544001405833534737085436262538822)
s:  3291674092131697202311675745525475365064968319467374939508492134906839565421454360595692773627854237066150136741348888228613399059665246158159645036462397
P1:  (54210443699657255006307559839080041946816741974102144613555250053180514162101, 46284667157447087756123147436551451079394750818076298715356522162516164752308)
P2:  (54210443699657255006307559839080041946816741974102144613555250053180514162101, 46284667157447087756123147436551451079394750818076298715356522162516164752308)
The Signature is valid


  • The python code first generates both the private key and the public key.
  • The calculation is then done by converting the message to an integer.
  • The hashing method is used to determine the values of r and s.
  • Then the signature process takes places
  • The ApplyDoubleAndAdd method is used to calculate the value of points p1 and p2.
  • The signature is valid if both points p1 and p2 are equal; else, it is invalid.

Benefits of ECDSA

  • High Security: It is a public key cryptography-based equation that is especially effective (PKC). ECDSA serves as the foundation for the security of Bitcoin and is widely utilized in secure messaging apps. For a number of reasons, smaller keys are preferable over larger keys. Because the math is simpler with smaller keys, faster algorithms can generate signatures.
  • Good application performance: The key pairs needed for the digital signature’s signing and verification are created using ECC by the ECDSA digital signature algorithm. ECC is frequently used to sign transactions or events in blockchain applications due to its advantages over other public-key algorithms.
  • High speed of verification: The signed message msg, the signature r, s generated by the signing algorithm, and the public key pubKey, which corresponds to the signer’s private key, are all inputs to the process used to validate an ECDSA signature. The result is a boolean value, either valid or invalid.
  • Support government standards: The Digital Signature Standard (DSS), a Federal Information Processing Standard (FIPS) of the United States Government, contains the Digital Signature Algorithm (DSA) specifications. The discrete logarithm problem’s (DLP) computational intractability in prime-order subgroups of Z serves as the foundation for its security.
  • Complaints with modern requirement: ECC comply with FIPS as ECDSA is one of the FIPS-approved techniques for asymmetric key functions in FIPS 140-2, along with RSA and DSA. Based on public key cryptography, it is a highly effective equation (PKC).

Limitations of ECDSA

  • Standard curve: Secure implementation is difficult and challenging, particularly for conventional curves. Modern standards are outdated, especially ECDSA, which is a hack in comparison to Schnorr signatures.
  • Signing verification error: The key is compromised if a faulty or compromised generator of random numbers is used for signing.
    In particular for binary curves, still has certain patent issues. It might be expensive.
  • Problem with curves: In particular for binary curves, it still has certain patent issues. It might be expensive. The increasing use of elliptic curves has collided with the ongoing development of quantum computing research.
  • The size of encryption process: ECC’s primary drawback is that it greatly increases the size of the encrypted message compared to RSA encryption. Additionally, the ECC algorithm is more complex and challenging to implement than RSA, increasing the risk of implementation errors and lowering the technique’s security.
  • the same random value: Private key for Bitcoin obtained via ECDSA signatures. The usage of the same nonce value across many messages is one of the flaws.

Applications of ECDSA

  • ECDSA-dependent systems, like Bitcoin, are a suitable example. An ECDSA public key is hashed using cryptography to create each Bitcoin address. Whoever has access to the ECDSA private key is the account’s true owner.
  • This implies that you can get the same level of security with ECDSA as RSA while using smaller keys. For a number of reasons, smaller keys are preferable over larger keys. Because the math is simpler with smaller keys, faster algorithms can generate signatures.
  • In order to create a TLS connection, smaller public keys imply smaller certificates, and fewer data must be transmitted. Faster connectivity and speedier page loading are the results of this.


  • The solution to the discrete logarithm problem: The fundamental draw of ECDSA is the absence of a sub-exponential solution that can solve the discrete logarithm problem for elliptic curves on the right elliptic curve. As a result, it takes full exponential time to solve, while the fastest techniques for addressing the discrete logarithm problem in DSA and the underlying integer factorization 
  • Faster processing: Some benefits of having smaller key sizes include faster computation time and reduction in processing power, storage space, and bandwidth. Because of this, ECDSA works well in limited environments like pagers, PDAs, cell phones, and payment systems. These benefits are particularly significant in other contexts with limited processor speed, storage capacity, bandwidth, or power consumption.
  • High Security: Benefits are particularly significant in other contexts with limited processor speed, storage capacity, bandwidth, or power consumption. The aforementioned characteristics increase the security of online communication, allowing for the conduct of electronic commerce and other activities with little to no concern about hacker activity.

Like Article
Suggest improvement
Share your thoughts in the comments

Similar Reads