Protocol++® (Protocolpp®)
v5.6.2
|
#include "include/jecdsafp.h"
see https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography
Key and signature-size comparison to DSA
As with elliptic-curve cryptography in general, the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level, in bits. For example, at a security level of 80 bits (meaning an attacker requires a maximum of about operations to find the private key) the size of an ECDSA public key would be 160 bits, whereas the size of a DSA public key is at least 1024 bits. On the other hand, the signature size is the same for both DSA and ECDSA: approximately bits, where is the security level measured in bits, that is, about 320 bits for a security level of 80 bits
Signature generation algorithm
Suppose Alice wants to send a signed message to Bob. Initially, they must agree on the curve parameters ( CURVE , G , n ). In addition to the field and equation of the curve, we need G, a base point of prime order on the curve; n is the multiplicative order of the point G
Parameter | Description |
---|---|
CURVE | the elliptic curve field and equation used |
G | elliptic curve base point, such as a pt on , a generator of the elliptic curve with large prime order n |
n | integer order of , means that , where O is the identity element |
The order n of the base point G must be prime. Indeed, we assume that every nonzero element of the ring are invertible, so that must be a field. It implies that n must be prime (cf. Bézout's identity)
Alice creates a key pair, consisting of a private key integer , randomly selected in the interval ; and a public key curve point
We use to denote elliptic curve point multiplication by a scalar
For Alice to sign a message m, she follows these steps:
When computing , the string resulting from shall be converted to an integer. Note that can be greater than but not longer
As the standard notes, it is not only required for k to be secret, but it is also crucial to select different k for different signatures, otherwise the equation in step 6 can be solved for , the private key: Given two signatures and , employing the same unknown for different known messages and , an attacker can calculate and , and since (all operations in this paragraph are done modulo n ) the attacker can find . Since , the attacker can now calculate the private key .
Another way ECDSA signature may leak private keys is when k is generated by a faulty random number generator. To ensure that k is unique for each message one may bypass random number generation completely and generate deterministic signatures by deriving k from both the message and the private key
Signature verification algorithm
For Bob to authenticate Alice's signature, he must have a copy of her public-key curve point
Bob can verify is a valid curve point as follows:
After that, Bob follows these steps:
Note that using Shamir's trick, a sum of two scalar multiplications can be calculated faster than two scalar multiplications done independently
Concerns
There exist two sorts of concerns with ECDSA:
For API information:
For Additional Documentation:
The source code contained or described herein and all documents related to the source code (herein called "Material") are owned by John Peter Greninger and Sheila Rocha Greninger. Title to the Material remains with John Peter Greninger and Sheila Rocha Greninger. The Material contains trade secrets and proprietary and confidential information of John Peter Greninger and Sheila Rocha Greninger. The Material is protected by worldwide copyright and trade secret laws and treaty provisions. No part of the Material may be used, copied, reproduced, modified, published, uploaded, posted, transmitted, distributed, or disclosed in any way without prior express written consent of John Peter Greninger and Sheila Rocha Greninger (both are required)
No license under any patent, copyright, trade secret, or other intellectual property right is granted to or conferred upon you by disclosure or delivery of the Materials, either expressly, by implication, inducement, estoppel, or otherwise. Any license under such intellectual property rights must be express and approved by John Peter Greninger and Sheila Rocha Greninger in writing
Licensing information can be found at www.protocolpp.com/license with use of the binary forms permitted provided that the following conditions are met:
Use of the source code requires purchase of the source code. Source code can be purchased at www.protocolpp.com/shop
The name of its contributor may not be used to endorse or promote products derived from this software without specific prior written permission and licensing
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE