ECDSA

ECDSA is one of signature schemes supported natively in Plutus, together with ed25519 and Schnorr. In particular, the natively supported ECDSA algorithm works over curve SECP256k1, enabling support for Bitcoin's and Ethereum's native signatures.

Implementation and bindings

We currently relly in Bitcoin's implementation available in secp256k1. We have analysed, and recommend, bindings in the following languages:

• Haskell: Available in cardano-base

Common mistakes

An ECDSA signature consists of two values $(r,s)$, where are scalars. A problem of using ECDSA in consensus critical contexts, is that the signature algorithm (as defined in the standard) is malleable. Specifically, given a valid signature $(r,s)$, the tuple $(r,-s)$ is also a valid signature. To avoid problems resulting from this malleability, the implementation we use checks that the $$s<p/2$$, where $p$ is the order of the prime order group. More details of such a check in the spec section.

Another common problem of verifying ECDSA signatures is that the hashing of the message must be performed by the verifier itself, rather than accepting a hashed message. This can be dangerous. Therefore, the verifier, before proceeding with verification, hashes the message.