2017-06-16 Friday-night tweet-size crypto: ECDSA over secp256k1
(Permalink: https://mumble.net/~campbell/2017/06/16/fntsc-ecdsa-secp256k1)
(Twitter: https://twitter.com/Riastradh_/status/875921073409282048)
(For amusement purposes only!)
- Parameters: Let p = 2^256 - 2^32 - 978, a prime; E, the Weierstrass
curve y^2 = x^3 + 7 over Z/pZ; B, a point of order p; H, SHA256.
- Keygen: Pick a uniformly in Z/pZ; publish A = a B.
- Verify: Given message m, point R on E, and scalar s in Z/pZ, test
H(m) s^-1 B + x(R) s^-1 A = R.
- Sign: Pick r uniformly in Z/pZ; compute R = r B, s = r^-1 [H(m) +
x(R) a] (mod p).
- Nwice attack: If (m, R, s) and (m', R, s') are valid signatures
under public key A = a B, then a = [s (H(m) - H(m'))/(s - s') -
H(m)]/x(R).
- Signature malleability: If (m, R, s) is a valid signature, then
so is (m, -R, -s), since x(-R) = x(R).
--
Copyright (c) 2006--2017, Taylor R. Campbell.
Verbatim copying and distribution of this entire article are permitted
worldwide, without royalty, in any medium, provided this notice, and
the copyright notice, are preserved.