Skip to main content

ECDSA signature and verification

An ECDSA signature is made up of two components: r and s. Each component is a large integer whose size is no bigger than curve order. Often, the signature is referred to as the concatenation of these two values after they have been represented as big-endian byte arrays, each padded to the same length as the curve order if necessary. Some Crypto Interface APIs may compute or take in the signature in this concatenated form, while others may have separate parameters for the r and s components.

As with RSA and DSA, with ECDSA it is customary to digest the message before doing the ECDSA signing step. The Crypto Interface provides APIs that perform only the raw ECDSA signing step (i.e., no hashing):


  • CRYPTO_INTERFACE_ECDSA_verifySignatureDigestAux

The Crypto Interface also provides APIs that perform message hashing in addition to the signing step:



Since the Edward’s Digital Signature algorithm (EdDSA) performs hashing intrinsically as part of the algorithm specifications, only the latter two APIs work with an Edward’s form curve.

To illustrate the usage of the first two APIs, an application should know how big a signature is going to be by using the following method to obtain the elementLen of the curve. For any of the curves that NanoCrypto supports, this length is simultaneously the coordinate length, the private key length, and the length of each r and s, in bytes:

CRYPTO_INTERFACE_EC_getElementByteStringLenAux(pPrivKey, &elementLen);

Using a buffer pSignature with signatureLen = 2 * elementLen, call:

CRYPTO_INTERFACE_ECDSA_signDigestAux(pPrivKey, RANDOM_rngFun, g_pRandomContext, pDigest, digestLen, pSignature, signatureLen, &signatureLen);

The resulting signature is written to the pSignature buffer. To verify the signature, enter r and s as separate parameters, where r begins at pSignature and s begins at pSignature + elementLen:

CRYPTO_INTERFACE_ECDSA_verifySignatureDigestAux (pPubKey, pDigest, digestLen, pSignature, elementLen, pSignature + elementLen, elementLen, &vfy);

The value of vfy is 0 if the signature is valid, and non-zero otherwise.


Ensure that both the return status is OK and vfy is equal to 0 before accepting that the signature is valid.

Complete example

A complete example may be found at: