Elliptic Curve DSA

Suppose Alice wants to send a signed message to Bob. Initially, the curve parameters ${\displaystyle (q,FR,a,b,G,n,h)}$  must be agreed upon. Also, Alice must have a key pair suitable for elliptic curve cryptography, consisting of a private key ${\displaystyle d_{A}}$  (a randomly selected integer in the interval ${\displaystyle [1,n-1]}$ ) and a public key ${\displaystyle Q_{A}}$  (where ${\displaystyle Q_{A}=d_{A}G}$ ).

For Alice to sign a message ${\displaystyle m}$ , she follows these steps:

1. Calculate ${\displaystyle e={\textrm {HASH}}(m)}$ , where HASH is a cryptographic hash function, such as SHA-1.
2. Select a random integer ${\displaystyle k}$  from ${\displaystyle [1,n-1]}$ .
3. Calculate ${\displaystyle r=x_{1}{\pmod {n}}}$ , where ${\displaystyle (x_{1},y_{1})=kG}$ . If ${\displaystyle r=0}$ , go back to step 2.
4. Calculate ${\displaystyle s=k^{-1}(e+rd_{A}){\pmod {n}}}$ . If ${\displaystyle s=0}$ , go back to step 2.
5. The signature is the pair ${\displaystyle (r,s)}$ .

For Bob to authenticate Alice's signature, he must have a copy of her public key ${\displaystyle Q_{A}}$ . He follows these steps:

1. Verify that ${\displaystyle r}$  and ${\displaystyle s}$  are integers in ${\displaystyle [1,n-1]}$ . If not, the signature is invalid.
2. Calculate ${\displaystyle e={\textrm {HASH}}(m)}$ , where HASH is the same function used in the signature generation.
3. Calculate ${\displaystyle w=s^{-1}{\pmod {n}}}$ .
4. Calculate ${\displaystyle u_{1}=ew{\pmod {n}}}$  and ${\displaystyle u_{2}=rw{\pmod {n}}}$ .
5. Calculate ${\displaystyle (x_{1},y_{1})=u_{1}G+u_{2}Q_{A}}$ .
6. The signature is valid if ${\displaystyle r=x_{1}{\pmod {n}}}$ , invalid otherwise.

Note that using Straus's algorithm (also known as Shamir's trick) a sum of two scalar multiplications ${\displaystyle u_{1}G+u_{2}Q_{A}}$  can be calculated faster than with two scalar multiplications.

• Accredited Standards Committee X9, American National Standard X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), November 16, 2005.
• Certicom Research, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography, Version 1.0, September 20, 2000.
• López, J. and Dahab, R. An Overview of Elliptic Curve Cryptography, Technical Report IC-00-10, State University of Campinas, 2000.
• Daniel J. Bernstein, Pippenger's exponentiation algorithm, 2002.
• Daniel R. L. Brown, Generic Groups, Collision Resistance, and ECDSA, Designs, Codes and Cryptography, 35, 119-152, 2005. ePrint version
• Ian F. Blake, Gadiel Seroussi, and Nigel P. Smart, editors, Advances in Elliptic Curve Cryptography, London Mathematical Society Lecture Note Series 317, Cambridge University Press, 2005.
• Darrel Hankerson, Alfred Menezes and Scott Vanstone, Guide to Elliptic Curve Cryptography, Springer, Springer, 2004.

• Digital Signature Standard; includes info on ECDSA

• Elliptic curve cryptography

Vorlage:Crypto navbox

de:ECDSA