The most surprising true thing about ECDSA is that it achieves the same security as RSA, but with keys that are orders of magnitude smaller.
Let’s see ECDSA in action. Imagine Alice wants to send a message to Bob and prove it came from her, without anyone else being able to forge it. She uses her private key to create a signature for the message, and Bob uses Alice’s public key to verify it.
Here’s a simplified, conceptual look at the process. Alice has a message M. She calculates a hash of M, let’s call it h. Then, using her ECDSA private key d and a chosen random number k, she computes two values, r and s, which together form the signature (r, s). The core of this involves point multiplication on an elliptic curve: (x, y) = k * G, where G is a predefined base point on the curve. r is derived from the x-coordinate x, and s is calculated using d, h, r, and k. The random number k must be unique for each signature and kept secret.
Bob receives the message M and the signature (r, s). He also needs Alice’s public key, which is a point Q on the same elliptic curve, derived from her private key d by Q = d * G. Bob first recalculates the hash h' of the received message M. Then, using h', r, s, and Alice’s public key Q, he performs a verification calculation. If the verification succeeds, he knows the message is authentic and hasn’t been tampered with. The verification essentially checks if s * G = h' * Q + r * (some_point_derived_from_Q_and_r). If this equation holds true, the signature is valid.
The "magic" happens within the mathematics of elliptic curves. An elliptic curve is defined by an equation like y^2 = x^3 + ax + b. ECDSA relies on the discrete logarithm problem on these curves. It’s easy to compute a point Q by multiplying a base point G by a scalar d (Q = d * G), but it’s computationally infeasible to find d given Q and G. This asymmetry is what provides the security.
The specific elliptic curve and its parameters (like the base point G and the order of the group) are crucial. For example, the secp256k1 curve, famously used by Bitcoin, has parameters defined by its equation y^2 = x^3 + 7 over a finite field. The choice of curve impacts security and performance. A smaller curve is faster but less secure. A larger curve is more secure but slower.
The practical implementation requires careful handling of the random number k. If k is reused for different messages, an attacker can easily derive the private key d. This is a critical vulnerability, famously exploited in some early implementations. The randomness must be cryptographically secure and truly unique for every signature operation.
The size of the keys is where ECDSA truly shines. A 256-bit ECDSA private key offers comparable security to a 3072-bit RSA key. This means smaller signatures, faster computations (especially for verification), and significantly reduced bandwidth and storage requirements. For instance, an ECDSA public key might be just 512 bits (two 256-bit coordinates), while an equivalent RSA public key would be 3072 bits.
The interaction between the hash function and the elliptic curve arithmetic is what makes it all work. The hash h is reduced modulo the order of the curve’s base point. This ensures that the values used in the signature calculation are within the bounds of the group’s arithmetic. The signature s is also taken modulo the order of the group. If s is zero, a new signature must be generated.
The next step in understanding digital signatures is often exploring how these public keys are distributed and managed, leading into Public Key Infrastructure (PKI) and X.509 certificates.