Elliptic Curve Signatures — extended
Asymmetric cryptography is one of the most important computer science inventions of the previous century. Cryptography is used extensively within Ethereum, and one place that users have contact with it is via Ethereum accounts.
As we discussed in the previous article, public key cryptography is based on mathematical functions that allow for unique public/private key pairs. Those pairs of keys have special properties, like ease of creation, but it’s extremely hard (nearly impossible) to create a private key from its public key. Having a private key makes it easy to create a public key, but just from knowing a public key, we cannot know which private key was used to create that public key.
Proof of ownership of Externally Owned Accounts (EOAs) is established through private keys and digital signatures. The private keys are used almost everywhere within Ethereum during user interactions, and the Ethereum address of an EOA is derived from the private key. In other words, the Ethereum address is the last 20 bytes of hash of the public key controlling the account with 0x appended in front.
In a blockchain system, any key holder can use their private key to sign a piece of data. This results in a signature. Whoever obtains the signature can use this to:
- Recover the public key (account address) of the Author
- Verify whether the message is the same as the one signed by Author
To prove you are the true owner of an EOA, you need to sign a message with the corresponding private key. This means that only you have access to the funds on your account. When making a transaction sending 1 Ether to a contract to mint a new NFT, under the hood, Ethereum verifies the digital signature you created (using the private key) against the corresponding account’s public key hash (the address).
Elliptic Curve Cryptography (ECC) and ECDSA are a specific flavor of asymmetric cryptography. They are widely used in blockchain technology because of three reasons:
- Their computational performance is economical compared to a lot of other algorithms
- The keys that are generated are relatively short
- Bitcoin started it, so most new blockchain projects have copied it
ECDSA uses the algebraic structure of elliptic curves over finite fields. Without getting into the mathematics of it, they require a set of constants to define this curve. The constants used by most blockchains are set in the secp256k1 standard.
Before blockchain, this elliptic curve standard was not common at all. In fact, most mainstream hardware vendors don’t support hardware encryption for this curve. It is rumored that secp256k1 was picked because it has the least likelihood of having kleptographic backdoors implanted by the NSA.
The ECDSA method significantly improved the performance of signing messages than the RSA-based DSA method. Its usage of elliptic curve methods speeded up the whole process and supported much smaller key sizes. Its crown and glory were being selected by Satoshi Nakamoto for his Bitcoin protocol, and then its adoption into Ethereum.
Both Smart Contracts and Ethereum clients have the ability to verify ECDSA signatures. ECDSA verification in Smart Contracts allows tamper proof communications outside of the blockchain.
When we sign any message, whether a transaction on Ethereum or any form of data, we create a digital signature. This is done by hashing the message and running the ECDSA algorithm to combine the hash with the private key, producing a signature. By doing this, any changes to the message will result in a different hash value. Encryption techniques like ECDSA play a paramount role in securely extending existing blockchains.
EdDSA and Ed25519
While ECDSA is probably the most widely deployed elliptic curve digital signature scheme, EdDSA has a number of properties that make it an attractive alternative to ECDSA.
The Edwards-curve Digital Signature Algorithm (EdDSA) is used to create a digital signature using an enhancement of the Schnorr signature with Twisted Edwards curves. Overall it is faster than many other digital signature methods and is strong for security. One example of EdDSA is Ed25519, and which is based on Curve 25519. It provides around 128-bit security and generates a 64-byte signature value of (R,s). Along with this, it has 32-byte values for the public and the private keys.
ECDSA vs EdDSA
So, what’s the difference between ECDSA and EdDSA?
ECDSA stands for Elliptic Curve Digital Signature Algorithm, and EdDSA stands for Edwards-curve Digital Signature Algorithm. Both are used to create digital signatures, and where Bob uses his private key to sign for a message, and then Alice proves the signature with the message, the signature and Bob’s public key. Once Bob has signed the message, there should be no way of going back and changing the key to a different key or changing the message — as these would not verify the signature.
For something that is compatible with Bitcoin and Ethereum, ECDSA provides the best solution. However, it struggles though in signature aggregation and in splitting keys within a distributed environment. Unfortunately it also relies on a random nonce value to be created, and if the nonce is not random, it can significantly reduce the security of the signature. EdDSA has around the same speed performance as ECDSA, but it naturally supports the aggregation of keys in order to merge them within a signing process. This is because they are based on the Schnorr signature method.
The RFC lists the following advantages to EdDSA (paraphrased):
- High performance across platforms
- You don’t need to use a unique random number for each signature (avoiding the PS3 problem, where a reused random number exposed Sony’s signing key)
- Side channel resistance
- Small public keys and signatures (32 and 64 bytes respectively for Ed25519)
- Formulas are valid for all points on the curve, without exceptions
- Collision resistance
ECDSA and EdDSA typically have equivalent performance and security levels. However, with ECDSA, we need to be careful in making sure that we do not reuse this nonce value, and that it is random. That is due to the fact, that ECDSA has a random nonce value created within the signature creation, whereas EdDSA does not.
EdDSA supports more features, such as the aggregation of keys in the signature, and also the aggregation of the signature for multiple parties. However, this seems to be not enough to tip the scales and for the time being, ECDSA is more often used — mainly to keep compatibility with Bitcoin and Ethereum. However, EdDSA has a smaller public keys and overall better performance. This is due to ECDSA using (x,y) coordinates for the public keys and thus having 512 bits (for secp256k1), while Ed25519 uses just the y co-ordinate value for the point, and thus has 256 bits.
And finally, we need to start building digital systems which are secure by design. At its core of this is the mighty digital signature. Whether it’s ECDSA or EdDSA, you know that maths are making sure that there is some certainty in a transaction.
Originally published at https://deeprnd.blogspot.com on May 17, 2022.