ECDSA sign
Last updated
Last updated
The ECDSA signing algorithm (RFC 6979) takes as input a message msg ****+ a private key privKey ****and produces as output a signature, which consists of pair of integers {r, s}. The ECDSA signing algorithm is based on the ElGamal signature scheme and works as follows (with minor simplifications):
Calculate the message hash, using a cryptographic hash function like SHA-256: h = hash(msg)
Generate securely a random number k in the range [1..n-1]
In case of deterministic-ECDSA, the value k is HMAC-derived from h + privKey (see RFC 6979)
Calculate the random point R = k * G and take its x-coordinate: r = R.x
Calculate the signature proof: s =
The modular inverse is an integer, such that
Return the signature {r, s}.
The calculated signature {r, s} is a pair of integers, each in the range [1...n-1]. It encodes the random point R = k * G, along with a proof s, confirming that the signer knows the message h and the private key privKey. The proof s is by idea verifiable using the corresponding pubKey.
ECDSA signatures are 2 times longer than the signer's private key for the curve used during the signing process. For example, for 256-bit elliptic curves (like secp256k1
) the ECDSA signature is 512 bits (64 bytes) and for 521-bit curves (like secp521r1
) the signature is 1042 bits.