-
Notifications
You must be signed in to change notification settings - Fork 32
ECDSA
ECDSA is a digital signature algorithm based on DSA and use elliptic curve groups. Currently only 4 NIST curves are supported:
| Curve | ID |
|---|---|
| P-224 | 1 |
| P-256 | 2 |
| P-384 | 3 |
| P-512 | 4 |
Each curve has a specified bit length L, which limited the range of integers used in the algorithm.
ECDSA public key is a curve point with affine coordinate (x, y)。
There are two encoding mode: compressed and non-compressed.
Assign X and Y to the L bits (⌈L/8⌉ bytes) sequence converted from x and y in little endian.
-
compressed: FLAG || X
FLAG is 1 byte flag which is 0x02 if Y is even or 0x03 if Y is odd.
-
non-compressed: 0x04 || X || Y
The serialized byte sequence of ECDSA public key has 2 leading bytes indicate ECDSA algorithm and the curve and follows by the encoded key data:
ECDSA_ID || CURVE_ID || ENCODED_PUBLIC_KEY
While curve P-256 is a special case, which uses the encoded key as the serialized data, starts with 0x02 or 0x03 (compression mode), without the IDs ahead.
ECDSA private key is a integer d.
For serialization, it is specified that the public key is serialized together:
ECDSA_ID || CURVE_ID || D || ENCODED_PUBLIC_KEY
where D is the L bits (⌈L/8⌉ bytes) sequence converted from d in little endian.
A ECDSA signature consists of 2 integers (r, s).
When serializing, first convert r and s to L bits byte sequences R, S. The result sequence is in following format:
SIGNATURE_SCHEME || R || S
Similar to public key, SHA256withECDSA is treated as a special case. R || S is used as the serialized data, without the leading flag. The data length is fixed to 64 bytes, which is used to distinguish this scheme from others.