Elliptic Curve Signatures - extended

Asymmetric cryptography is one of the most important computer science inventions of the previous century. Cryptography is used extensively within Ethereum, and one place that users have contact with it is via Ethereum accounts.

As we discussed in the previous article, public key cryptography is based on mathematical functions that allow for unique public/private key pairs. Those pairs of keys have special properties, like ease of creation, but it’s extremely hard (nearly impossible) to create a private key from its public key. Having a private key makes it easy to create a public key, but just from knowing a public key, we cannot know which private key was used to create that public key.

Proof of ownership of Externally Owned Accounts (EOAs) is established through private keys and digital signatures. The private keys are used almost everywhere within Ethereum during user interactions, and the Ethereum address of an EOA is derived from the private key. In other words, the Ethereum address is the last 20 bytes of hash of the public key controlling the account with 0x appended in front.

In a blockchain system, any key holder can use their private key to sign a piece of data. This results in a signature. Whoever obtains the signature can use this to:

  • Recover the public key (account address) of the Author
  • Verify whether the message is the same as the one signed by Author

To prove you are the true owner of an EOA, you need to sign a message with the corresponding private key. This means that only you have access to the funds on your account. When making a transaction sending 1 Ether to a contract to mint a new NFT, under the hood, Ethereum verifies the digital signature you created (using the private key) against the corresponding account’s public key hash (the address).

ECDSA

Elliptic Curve Cryptography (ECC) and ECDSA are a specific flavor of asymmetric cryptography. They are widely used in blockchain technology because of three reasons:

  • Their computational performance is economical compared to a lot of other algorithms
  • The keys that are generated are relatively short
  • Bitcoin started it, so most new blockchain projects have copied it

ECDSA uses the algebraic structure of elliptic curves over finite fields. Without getting into the mathematics of it, they require a set of constants to define this curve. The constants used by most blockchains are set in the secp256k1 standard.

Before blockchain, this elliptic curve standard was not common at all. In fact, most mainstream hardware vendors don’t support hardware encryption for this curve. It is rumored that secp256k1 was picked because it has the least likelihood of having kleptographic backdoors implanted by the NSA.

The ECDSA method significantly improved the performance of signing messages than the RSA-based DSA method. Its usage of elliptic curve methods speeded up the whole process and supported much smaller key sizes. Its crown and glory were being selected by Satoshi Nakamoto for his Bitcoin protocol, and then its adoption into Ethereum.

Both Smart Contracts and Ethereum clients have the ability to verify ECDSA signatures. ECDSA verification in Smart Contracts allows tamper proof communications outside of the blockchain.

When we sign any message, whether a transaction on Ethereum or any form of data, we create a digital signature. This is done by hashing the message and running the ECDSA algorithm to combine the hash with the private key, producing a signature. By doing this, any changes to the message will result in a different hash value. Encryption techniques like ECDSA play a paramount role in securely extending existing blockchains.

EdDSA and Ed25519

While ECDSA is probably the most widely deployed elliptic curve digital signature scheme, EdDSA has a number of properties that make it an attractive alternative to ECDSA.

The Edwards-curve Digital Signature Algorithm (EdDSA) is used to create a digital signature using an enhancement of the Schnorr signature with Twisted Edwards curves. Overall it is faster than many other digital signature methods and is strong for security. One example of EdDSA is Ed25519, and which is based on Curve 25519. It provides around 128-bit security and generates a 64-byte signature value of (R,s). Along with this, it has 32-byte values for the public and the private keys.

ECDSA vs EdDSA

So, what’s the difference between ECDSA and EdDSA?

ECDSA stands for Elliptic Curve Digital Signature Algorithm, and EdDSA stands for Edwards-curve Digital Signature Algorithm. Both are used to create digital signatures, and where Bob uses his private key to sign for a message, and then Alice proves the signature with the message, the signature and Bob’s public key. Once Bob has signed the message, there should be no way of going back and changing the key to a different key or changing the message — as these would not verify the signature.

For something that is compatible with Bitcoin and Ethereum, ECDSA provides the best solution. However, it struggles though in signature aggregation and in splitting keys within a distributed environment. Unfortunately it also relies on a random nonce value to be created, and if the nonce is not random, it can significantly reduce the security of the signature. EdDSA has around the same speed performance as ECDSA, but it naturally supports the aggregation of keys in order to merge them within a signing process. This is because they are based on the Schnorr signature method.

The RFC lists the following advantages to EdDSA (paraphrased):

  • High performance across platforms
  • You don't need to use a unique random number for each signature (avoiding the PS3 problem, where a reused random number exposed Sony's signing key)
  • Side channel resistance
  • Small public keys and signatures (32 and 64 bytes respectively for Ed25519)
  • Formulas are valid for all points on the curve, without exceptions
  • Collision resistance

Conclusion

ECDSA and EdDSA typically have equivalent performance and security levels. However, with ECDSA, we need to be careful in making sure that we do not reuse this nonce value, and that it is random. That is due to the fact, that ECDSA has a random nonce value created within the signature creation, whereas EdDSA does not.

EdDSA supports more features, such as the aggregation of keys in the signature, and also the aggregation of the signature for multiple parties. However, this seems to be not enough to tip the scales and for the time being, ECDSA is more often used - mainly to keep compatibility with Bitcoin and Ethereum. However, EdDSA has a smaller public keys and overall better performance. This is due to ECDSA using (x,y) coordinates for the public keys and thus having 512 bits (for secp256k1), while Ed25519 uses just the y co-ordinate value for the point, and thus has 256 bits.

And finally, we need to start building digital systems which are secure by design. At its core of this is the mighty digital signature. Whether it’s ECDSA or EdDSA, you know that maths are making sure that there is some certainty in a transaction.

Comments

Post a Comment

Popular posts from this blog

Rust Static Analysis and Blockchain Licensing

Image
What is static analysis? Static analysis is an analysis of software artifacts. For example requirements or code, carried out without execution of these software development artifacts. Static analysis is usually carried out using supporting tools. In other words, we can say that static analysis is an examination of requirements, design, and code that differ from more traditional dynamic testing in several important ways. The main goal behind this analysis is to find the bugs, whether or not they may cause failures. As with reviews, static analysis finds bugs rather than failures. The general name for static analysis is linting. lint, or a linter, is a tool that analyzes source code to flag programming errors, bugs, stylistic errors, and suspicious constructs. Simply put, a linter is a tool that programmatically scans your code with the goal of finding issues that can lead to bugs or inconsistencies with code health and style. Some can even help fix them for you! How to analyse
Read more

Length extension attack

Image
What is length extension? When a Merkle–Damgård based hash is misused as a message authentication code with construction H(secret ‖ message), and message and the length of secret is known, a length extension attack allows anyone to include extra information at the end of the message and produce a valid hash without knowing the secret. Quick sidebar, before you freak out: Since HMAC does not use this construction, HMAC hashes are not prone to length extension attacks. So, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 ‖ message2) for an attacker-controlled message2, without needing to know the content of message1. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack. Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible, nor is the SHA-3 algorithm. A bit more details
Read more

CAP Theorem and blockchain

Image
In theoretical computer science, the CAP theorem states that it is impossible for a distributed data store (such as a blockchain network) to simultaneously provide more than two out of the three guarantees: Consistency, Availability & Partition tolerance. CAP Theorem – the parts C: Consistency – At any given time, all nodes in the network have exactly the same (most recent) value. A: Availability – Every request to the network receives a response, though without any guarantee that returned data is the most recent. P: Partition tolerance – The network continues to operate, even if an arbitrary number of nodes are failing. Due to the nature of distributed data stores (such as blockchain), Partition tolerance is a given fact; there will always be failing/unreachable nodes in the network (not least because of the unstable nature of the internet). CAP Theorem states that one has to choose between C (Consistency) or A (Availability) when in the presence of P (Partition): Av
Read more