Why is mbedTLS ECDSA signature dependend on hashing algorithm?

Question

I am currently working on signing a hashed message using mbedTLS (formerly polarSSL) library. I am currently stuck with using the obvious function:

int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
                       const unsigned char *hash, size_t hlen,
                       unsigned char *sig, size_t *slen,
                       int (*f_rng)(void *, unsigned char *, size_t),
                       void *p_rng )

It seems that this works properly but I have a problem with the given parameter mbedtls_md_type_t md_alg. This parameter identifies message digest algorithm that was used for the given hash.

md_alg is an enum defined in 'md.h' and describes the following values:

enum mbedtls_md_type_t { MBEDTLS_MD_NONE =0, MBEDTLS_MD_MD2, MBEDTLS_MD_MD4, MBEDTLS_MD_MD5, MBEDTLS_MD_SHA1, MBEDTLS_MD_SHA224, MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA384, MBEDTLS_MD_SHA512, MBEDTLS_MD_RIPEMD160 }

As I need to be using SHA3 (keccak 256) as a hashing algorithm, mbedTLS does not offer this. I am now hashing using another method and put in the SHA3 hash into the mbedtls_ecdsa_write_signature() function.

As md_alg parameter I have tried out the different values that define the message digest algorithm and I get the following output:

(md_alg) + Signature: (len: length) signature

(3) + Signature: (len: 70) 304402206AD43BB99B8D97A0890ED7295BDDF8E826AF44AA1FAC9B471EBD415078F3194C02204C0DE87286C2C2B6160B7410A7692DE0995FE79347752A1E828E829FFD981257 (4) + Signature: (len: 72) 3046022100D8C89CD146F08ECA0ACCD66AD0FAF07D8ED761602EBB5DAC8E4F2B6E9634EBC4022100897583BAE04B0B46044AD5910CC704039F7B46DDCBA46344E065687798B2E605 (5) + Signature: (len: 71) 3045022100EBDFC64BC39F77753E5255AED340CFB8946584B7D2AAF5F32A611BFF29631CFC02201233084DD8E96598483F2BEAFACD03E5D8449511A3F6BAB85175158950333084 (6) + Signature: (len: 71) 304502200E7220C8697456CA3151C967EEB2DB6AD6F9E6ACB740E7980D41582496635228022100A01FA55C71A30D042C5932498C0F69ADAB81F5026E5CC0204A304217883B814C (7) + Signature: (len: 71) 3045022100ADBC91C37D20EA747B9854C26CFE067311C86A168FE8B06237C1D0EB2F8E6F04022004B99EE9B920B57BAE1BFFCED6BDD7ED3C48571BC4D7326F67EC90AF045AC193 (8) + Signature: (len: 71) 3045022027CC7F76558EF628370E3554B575A0FD15F55952AB2E1CC30AC51A21DEFAE1AC0221009746FF2012E005057BFF0674E78235BD08B7C54C2547CAC63EDD5B160245A309 (9) + Signature: (len: 70) 3044022059512D16AC85EB8BFDFBD488A497A0CAA28AEA0A53F280FD7FDB4297C4D49DBD02200AAD2F32B63C76B82B75F3C97F555E5D895C3A8717D5E617AAFD7E8788E4311F

As you can see, choosing different values for md_alg results in different signatures (given the same hash and private_key).

So far I have been looking through 'ecdsa.c' source file and can not find a reason for why choosing different values for md_alg results in different output signatures.

Is there anything I can do differently for using a SHA3 hash and why do the signature differ from one another?

Thank you

Answer 1

Short answers:

• you don't need to do anything differently
• the signatures differ because the signature algorithm is randomised

This is because the purpose of the mbedtls_md_type_t md_alg passed to mbedtls_ecdsa_write_signature is not to indicate the algorithm that was used to create the given hash.

What happens is, that the algorithm constructs a pseudorandom generator (hmac-drbg) based on the given md_alg and seeds it with the private key. Now, if the hash algorithm is different, then the pseudorandom sequence will be different and that makes the signature itself different as well.