![Key Generation
Since the domain parameters (P, a, b, G, n, h) are preestablished, the curve
and the base point are known by both parties.
Also, the prime P that makes it a finite field is also known (P is usually 160
bits and can be greater as well).
So, the sender, say, Alice does the following to generate the keys:
• Select a random integer d in the interval [1, n − 1]
• Compute Q = d G
• Declare Q is the public key and keep d as the private key.](https://image.slidesharecdn.com/ecdsagood-250208151750-52b3e804/85/Elliptic-Curve-Digital-Signature-Algorithm-ECDSA-ppt-14-320.jpg)
![Signature Generation
Once the keys are generated, Alice, the sender, would use the private
key “d” to sign the message (m). So, she would perform the
following steps in
the order specified to generate the signature:
• Select a random number k in the interval [1, n − 1]
• Compute k.G and find the new coordinates (x1, y1) and
find r = x1 mod n
If r = 0, then start all over again
• Compute e = SHA-1 (m)
• Compute s = k −1 (e + d . r) mod n
If s = 0, then start all over again from the first step
• Alice’s signature for the message (m) would now be (r, s)](https://image.slidesharecdn.com/ecdsagood-250208151750-52b3e804/85/Elliptic-Curve-Digital-Signature-Algorithm-ECDSA-ppt-15-320.jpg)
![Signature Verification
Let us say Bob is the receiver here and has access to the domain
parameters and the public key Q of the sender Alice.
As a security measure, Bob should first verify that the data he has, which is
the domain parameters, the signature, and Alice’s public key Q are all valid.
To verify Alice’s signature on the message (m), Bob would perform the
following operations in the order specified:
• Verify that r and s are integers in the interval [1, n − 1]
• Compute e = SHA-1 (m)
• Compute w = s −1 mod n
• Compute u1 = e w mod n, and u2 = r w mod n
• Compute X = u1 G + u2 G, where X represents the coordinates, say (x2,
y2)
Compute v = x1 mod n
• Accept the signature if r = v, otherwise reject it](https://image.slidesharecdn.com/ecdsagood-250208151750-52b3e804/85/Elliptic-Curve-Digital-Signature-Algorithm-ECDSA-ppt-16-320.jpg)
Elliptic Curve Digital Signature Algorithm (ECDSA).ppt
- 1. BLOCKCHAIN TECHNOLOGY Dr.P.Vishvapathi Professor, CSE Department
- 2. I UNIT Digital Signature - ECDSA
- 3. ECC is based on a mathematically related set of numbers on an elliptic curve over finite fields. Also, it has nothing to do with ellipses! Mathematically, an elliptic curve satisfies the following mathematical equation: y2 = x3 + ax + b, where 4 a3 + 27 b2 ≠ 0 With different values of “a” and “b”, the curve takes different shapes as shown in the following diagram:
- 4. • There are several important characteristics of elliptic curves that are • used in cryptography, such as: • • They are horizontally symmetrical. i.e., what is below the X-axis is a mirror image of what is above the X-axis. So, any point on the curve when reflected over the X-axis still remains on the curve. • • Any nonvertical line can intersect the curve in at most three places. • • If you consider two points P and Q on the elliptic curve and draw a line through them, the line may exactly cross the curve at one more places. Let us call it (− R). If you draw a vertical line through (− R), it will cross the curve at, say, R, which is a reflection of the point (− R). • Now, the third property implies that P + Q = R. This is called “point addition,” which means adding two points on an elliptic curve will lead you to another point on the curve. Refer to the following diagram for a pictorial representation of these three properties.
- 6. So, you can apply point addition to any two points on the curve. Now, in the previous bullet-point, we did point addition of P and Q (P + Q) and found − R and then ultimately arrived at R. Once we arrive at R, we can then draw a line from P to R and see that the line intersects the graph again at a third point. We can then take that point and move along a vertical line until it intersect the graph again. This becomes the point addition for points P and R. This process with a fixed P and the resulting point can continue as long as we want, and we will keep getting new points on the curve.
- 7. • Now, instead of two points P and Q, what if we apply the operation to the same point P, i.e., P and P (called “point doubling”). Obviously, infinite numbers of lines are possible through P, so we will only consider the tangential line. • The tangent line will cross the curve in one more point and a vertical line from there will cross the curve again to get to the final value. • It can be shown as follows:
- 9. • It is evident that we can apply point doubling “n” number of times to the initial point and every time it will lead us to a different point on the curve. • The first time we applied point doubling to the point P, it took us to the resulting point 2P as you can see in the diagram. • Now, if the same is repeated “n” number of times, we will reach a point on the curve as shown in the following diagram:
- 10. • In the aforementioned scenario, when the initial and final point is given, there is no way one can say that the point doubling was applied “n” number of times to reach the final resulting point except trying for all possible “n” one by one. • This is the discrete logarithm problem for ECC, where it states that given a point G and Q, where Q is a multiple of G, find “d” such that Q = d G. • This forms the one-way function with no shortcuts. • Here, Q is the public key and d is the private key. Can you extract private key d from public key Q? • This is the elliptic curve discrete logarithm problem,which is computationally difficult to solve.
- 11. • Further to this, the curve should be defined over a finite field and not take us to infinity! This means the “max” value on the X-axis has to be limited to some value, so just roll the values over when we hit the maximum. • This value is represented as P (not the P used in the graphs here) in the ECC cryptosystem and is called "modulo” value, and it also defines the key size, hence the finite field. • In many implementations of ECC, a prime number for “P” is chosen. • • Increased size of “P” results in more usable values on the curve, hence more security. • • We observed that point addition and point doubling form the basis for finding the values that are used for encryption and decryption.
- 12. So, in order to define an ECC, the following domain parameters need to be defined: • The Curve Equation: y2 = x3 + ax + b, where 4 a3 + 27 b2 ≠ 0 • P: The prime number, which specifies the finite field that the curve will be defined over (modulo value) • a and b: Coefficients that define the elliptic curve • G: Base point or the generator point on the curve. This is the point where all the point operations begin and it defines the cyclic subgroup. • n: The number of point operations on the curve until the resultant line is vertical. So, it is the order of G, i.e., the smallest positive number such that nG = ∞. It is normally prime. • h: It is called “cofactor,” which is equal to the order of the curve divided by n. It is an integer value and usually close to 1.
- 13. Elliptic Curve Digital Signature Algorithm The ECDSA is a type of DSA that uses ECC for key generation. As the name suggests, its purpose is digital signature, and not encryption. ECDSA can be a better alternative to RSA in terms of smaller key size, better security,and higher performance. It is one of the most important cryptographic components used in Bitcoins! We already looked at how digital signatures are used to establish trust between the sender and receiver. Since authenticity of the sender and integrity of the message can be verified through digital signatures, two unknown parties can transact with each other. Note that the sender and the receiver have to agree on the domain parameters before engaging in the communication. There are broadly three steps to ECDSA: key generation, signature generation, and signature verification.
- 14. Key Generation Since the domain parameters (P, a, b, G, n, h) are preestablished, the curve and the base point are known by both parties. Also, the prime P that makes it a finite field is also known (P is usually 160 bits and can be greater as well). So, the sender, say, Alice does the following to generate the keys: • Select a random integer d in the interval [1, n − 1] • Compute Q = d G • Declare Q is the public key and keep d as the private key.
- 15. Signature Generation Once the keys are generated, Alice, the sender, would use the private key “d” to sign the message (m). So, she would perform the following steps in the order specified to generate the signature: • Select a random number k in the interval [1, n − 1] • Compute k.G and find the new coordinates (x1, y1) and find r = x1 mod n If r = 0, then start all over again • Compute e = SHA-1 (m) • Compute s = k −1 (e + d . r) mod n If s = 0, then start all over again from the first step • Alice’s signature for the message (m) would now be (r, s)
- 16. Signature Verification Let us say Bob is the receiver here and has access to the domain parameters and the public key Q of the sender Alice. As a security measure, Bob should first verify that the data he has, which is the domain parameters, the signature, and Alice’s public key Q are all valid. To verify Alice’s signature on the message (m), Bob would perform the following operations in the order specified: • Verify that r and s are integers in the interval [1, n − 1] • Compute e = SHA-1 (m) • Compute w = s −1 mod n • Compute u1 = e w mod n, and u2 = r w mod n • Compute X = u1 G + u2 G, where X represents the coordinates, say (x2, y2) Compute v = x1 mod n • Accept the signature if r = v, otherwise reject it
- 17. • Elliptic curve cryptography is now used in a wide variety of applications: the U.S. government uses it to protect internal communications, the Tor project uses it to help assure anonymity, it is the mechanism used to prove ownership of bitcoins, it provides signatures in Apple's iMessage service, it is used to encrypt DNS information with DNSCurve, and it is the preferred method for authentication for secure web browsing over SSL/TLS. • If you are accessing the HTTPS version from a recent enough version of Chrome or Firefox, your browser is using elliptic curve cryptography.