What will the signature length for 256 bit EC key in ECDSA algorithm? I wanted to validated signature length for the same. It will be great if some body can help me with one EC key set.
Asked
Active
Viewed 2.3k times
9
-
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Cryptography Stack Exchange](http://crypto.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Feb 18 '18 at 05:09
1 Answers
13
It depends on how you encode the signature. This is the code segment from OpenSSL that measures the length of ECDSA signature in DER format.
/** ECDSA_size
* returns the maximum length of the DER encoded signature
* \param eckey pointer to a EC_KEY object
* \return numbers of bytes required for the DER encoded signature
*/
int ECDSA_size(const EC_KEY *r)
{
int ret,i;
ASN1_INTEGER bs;
BIGNUM *order=NULL;
unsigned char buf[4];
const EC_GROUP *group;
if (r == NULL)
return 0;
group = EC_KEY_get0_group(r);
if (group == NULL)
return 0;
if ((order = BN_new()) == NULL) return 0;
if (!EC_GROUP_get_order(group,order,NULL))
{
BN_clear_free(order);
return 0;
}
i=BN_num_bits(order);
bs.length=(i+7)/8;
bs.data=buf;
bs.type=V_ASN1_INTEGER;
/* If the top bit is set the asn1 encoding is 1 larger. */
buf[0]=0xff;
i=i2d_ASN1_INTEGER(&bs,NULL);
i+=i; /* r and s */
ret=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
BN_clear_free(order);
return(ret);
}
The result of the above function with an EC_KEY on prime256 curve as parameter is
sig_len = ECDSA_size(eckey);
where sig_len is 72.
You need 72 bytes for DER encoded ECDSA signature using a 256-bit EC key.
Chiara Hsieh
- 3,273
- 23
- 32
-
1Note this is the maximum length; a significant fraction of actual signature values are shorter. If handling them yourself it is okay to include trailing unused space e.g. in a fixed-size database column, but for checking a received value, or when putting in a composite like an X.509 cert, you must support variable length. – dave_thompson_085 Feb 15 '18 at 22:38
-
1As you said it depends on the encoding. P1363 only needs 64 bytes. And an OpePGP encoding only needs 66 bytes. As you pointed out, ASN.1/DER needs up to 72 bytes. DER requires a minimum number of bytes. If ASN.1/BER is used, then the signature can be hundreds of bytes. Just pad the `INTEGER` on the left with a string of 0's. I believe BER is the case @dave_thompson pointed out. – jww Feb 18 '18 at 05:21
-
@jww: there are other encodings, but OpenSSL only outputs DER, and this answer uses OpenSSL and explicitly says DER, and that's what I was commenting on. However, BER does not allow 'oversize' INTEGERs (nor composite ones); all it could do is make the SEQUENCE indefinite with EOC and that only adds 2 octets (and they're trailing zeros, which some sw mangles!) – dave_thompson_085 Feb 18 '18 at 09:35
-
1Yes this seems correct, because I tried generating an ECDSA signature that uses the SHA256 in the mbedTLS library using the method `mbedtls_pk_sign` . I was expecting to get a 64 byte result, as the pure mathematics of it would suggest (see [https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages#:~:text=ECDSA%20signatures%20are%202%20times,the%20signature%20is%201042%20bits.]) But the result I got was 72, and the mbedTLS library uses the DER encoding format, so this seems correct to me after reading this post. – Papyrus Jul 07 '22 at 15:29
-
ASN1 integers (used in DER encoding) are signed. But these signatures use unsigned numbers. This means that if the upper bit is "1", it would be a negative number. So to express an ASN1 unsigned integer whose top bit (if expressed as "X") bits were to be "1" and therefore negative requires adding a 0x00 MSB. Therefore such an integer must be expressed with one extra byte. – Brad Jan 26 '23 at 18:13