Note to Self: ECDSA trivia

Takahiko Kawasaki
2 min readJun 4, 2023

--

Boolean value for y-coordinate?

While implementing the feature of signing and verification with ES256 / ES384 / ES512 algorithms into my Java library for CBOR / COSE / CWT (authlete/cbor), I noticed that “IANA COSE Key Type Parameters” states that the y-coordinate of EC2 keys can be represented as a boolean value instead of an integer value.

Through an internet search, I found the following sentence in “2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion” of “SEC 1: Elliptic Curve Cryptography”.

Derive from yP a single bit ỹP as follows (this allows the y-coordinate to be represented compactly using a single bit)

When the y-coordinate is represented as a single bit (which can be represented as a boolean value), the actual value of the y-coordinate needs to be calculated using other parameters such as the x-coordinate and elliptic curve parameters.

In the case of “prime finite fields”, which is the case for P-256, P-384 and P-521 (which are elliptic curves used by ES256, ES384 and ES512 algorithms, respectively), the y-coordinate (yp) is calculated by the following steps as instructed in “2.3.4 Octet-String-to-Elliptic-Curve-Point Conversion”.

  1. Compute the field element αx³p + axp + b (mod p)
  2. Compute a square root β of α modulo p
  3. Output “invalid” and stop if there are no square roots of α modulo p
  4. Otherwise set yp = β if βp (mod 2), and set yp = p - β if βp (mod 2)

I implemented the calculation steps (uncompressY() in ECDSA.java) based on a certain answer found on Stack Overflow. But, to be honest, I haven’t tested it yet, so I’m not sure if it’s a correct implementation.

DER or P1363?

The algorithm results in a pair of integers (R, S). There are two major ways to encode the two integers into a byte array. One is DER and the other is P1363.

If you pass "SHA256withECDSA" to the getInstance(String) method of the java.security.Signature class, the returned Signature instance presumes that the format of signatures is DER.

"SHA256withECDSAinP1363Format" should be specified instead to create a Signature instance for the P1363 format, which is adopted by COSE ECDSA (RFC 9053, 2.1. ECDSA).

--

--

Takahiko Kawasaki
Takahiko Kawasaki

Written by Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

No responses yet