ECDSA signature and verification
An ECDSA signature is made up of two components: r and s. Each component is a large integer whose size is no bigger than curve order. Often, the signature is referred to as the concatenation of these two values after they have been represented as big-endian byte arrays, each padded to the same length as the curve order if necessary. Some Crypto Interface APIs may compute or take in the signature in this concatenated form, while others may have separate parameters for the r and s components.
As with RSA and DSA, with ECDSA it is customary to digest the message before doing the ECDSA signing step. The Crypto Interface provides APIs that perform only the raw ECDSA signing step (i.e., no hashing):
CRYPTO_INTERFACE_ECDSA_signDigestAux
CRYPTO_INTERFACE_ECDSA_verifySignatureDigestAux
The Crypto Interface also provides APIs that perform message hashing in addition to the signing step:
CRYPTO_INTERFACE_ECDSA_signMessageExt
CRYPTO_INTERFACE_ECDSA_verifyMessageExt
Since the Edward’s Digital Signature algorithm (EdDSA) performs hashing intrinsically as part of the algorithm specifications, only the latter two APIs work with an Edward’s form curve.
To illustrate the usage of the first two APIs, an application should know how big a signature is going to be by using the following method to obtain the elementLen
of the curve. For any of the curves that NanoCrypto supports, this length is simultaneously the coordinate length, the private key length, and the length of each r and s, in bytes:
CRYPTO_INTERFACE_EC_getElementByteStringLenAux(pPrivKey, &elementLen);
Using a buffer pSignature
with signatureLen = 2 * elementLen
, call:
CRYPTO_INTERFACE_ECDSA_signDigestAux(pPrivKey, RANDOM_rngFun, g_pRandomContext, pDigest, digestLen, pSignature, signatureLen, &signatureLen);
The resulting signature is written to the pSignature
buffer. To verify the signature, enter r and s as separate parameters, where r begins at pSignature
and s begins at pSignature + elementLen
:
CRYPTO_INTERFACE_ECDSA_verifySignatureDigestAux (pPubKey, pDigest, digestLen, pSignature, elementLen, pSignature + elementLen, elementLen, &vfy);
The value of vfy
is 0
if the signature is valid, and non-zero otherwise.
Important
Ensure that both the return status is OK
and vfy
is equal to 0
before accepting that the signature is valid.
Complete example
A complete example may be found at:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_ecc_example.c