How the ECDSA algorithm works

To popular demand, I have decided to try and explain how the ECDSA algorithm works. I’ve been struggling a bit to understand it properly and while I found a lot of documentation about it, I haven’t really found any “ECDSA for newbies” anywhere. So I thought it would be good to explain in simple terms how it works so others can learn from my research. I have found some websites that explain the basic principles but nowhere near enough to actually understand it, others that explains things without any basics, making it incomprehensible, and others that go way too deep into the the mathematics behind it.

ECDSA stands for “Elliptic Curve Digital Signature Algorithm”, it’s used to create a digital signature of data (a file for example) in order to allow you to verify its authenticity without compromising its security. Think of it like a real signature, you can recognize someone’s signature, but you can’t forge it without others knowing. The ECDSA algorithm is basically all about mathematics.. so I think it’s important to start by saying : “hey kids, don’t slack off at school, listen to your teachers, that stuff might be useful for you some day!” 🙂 But these maths are fairly complicated, so while I’ll try to vulgarize it and make it understandable for non technical people, you will still probably need some knowledge in mathematics to understand it properly. I will do this in two parts, one that is a sort of high level explanation about how it works, and another where I dig deeper into its inner workings to complete your understanding. Note however that I’ve just recently learned this stuff, so I’m definitely not an expert on the matter.

So the principle is simple, you have a mathematical equation which draws a curve on a graph, and you choose a random point on that curve and consider that your point of origin. Then you generate a random number, this is your private key, you do some magical mathematical equation using that random number and that “point of origin” and you get a second point on the curve, that’s your public key. When you want to sign a file, you will use this private key (the random number) with a hash of the file (a unique number to represent the file) into a magical equation and that will give you your signature. The signature itself is divided into two parts, called R and S. In order to verify that the signature is correct, you only need the public key (that point on the curve that was generated using the private key) and you put that into another magical equation with one part of the signature (S), and if it was signed correctly using the the private key, it will give you the other part of the signature (R). So to make it short, a signature consists of two numbers, R and S, and you use a private key to generate R and S, and if a mathematical equation using the public key and S gives you R, then the signature is valid. There is no way to know the private key or to create a signature using only the public key.

Alright, now for the more in depth understanding, I suggest you take an aspirin right now as this might hurt! 😛

Let’s start with the basics (which may be boring for people who know about it, but is mandatory for those who don’t) : ECDSA uses only integer mathematics, there are no floating points (this means possible values are 1, 2, 3, etc.. but not 1.5..),  also, the range of the numbers is bound by how many bits are used in the signature (more bits means higher numbers, means more security as it becomes harder to ‘guess’ the critical numbers used in the equation), as you should know, computers use ‘bits’ to represent data, a bit is a ‘digit’ in binary notation (0 and 1) and 8 bits represent one byte. Every time you add one bit, the maximum number that can be represented doubles, with 4 bits you can represent values 0 to 15 (for a total of 16 possible values), with 5 bits, you can represent 32 values, with 6 bits, you can represent 64 values, etc.. one byte (8 bits) can represent 256 values, and 32 bits can represent 4294967296 values (4 Giga).. Usually ECDSA will use 160 bits total, so that makes… well, a very huge number with 49 digits in it…

ECDSA is used with a SHA1 cryptographic hash of the message to sign (the file). A hash is simply another mathematical equation that you apply on every byte of data which will give you a number that is unique to your data. Like for example, the sum of the values of all bytes may be considered a very dumb hash function. So if anything changes in the message (the file) then the hash will be completely different. In the case of the SHA1 hash algorithm, it will always be 20 bytes (160 bits). It’s very useful to validate that a file has not been modified or corrupted, you get the 20 bytes hash for a file of any size, and you can easily recalculate that hash to make sure it matches. What ECDSA signs is actually that hash, so if the data changes, the hash changes, and the signature isn’t valid anymore.

Now, how does it work? Well Elliptic Curve cryptography is based on an equation of the form :

y^2 = (x^3 + a * x + b) mod p

First thing you notice is that there is a modulo and that the ‘y‘ is a square. This means that for any x coordinate, you will have two values of y and that the curve is symmetric on the X axis. The modulo is a prime number and makes sure that all the values are within our range of 160 bits and it allows the use of “modular square root” and “modular multiplicative inverse” mathematics which make calculating stuff easier (I think). Since we have a modulo (p) , it means that the possible values of y^2 are between  0 and p-1, which gives us p total possible values. However, since we are dealing with integers, only a smaller subset of those values will be a “perfect square” (the square value of two integers), which gives us N possible points on the curve where N < p (N being the number of perfect squares between 0 and p). Since each x will yield two points (positive and negative values of the square-root of y^2), this means that there are N/2 possible ‘x‘ coordinates that are valid and that give a point on the curve. So this elliptic curve has a finite number of points on it, and it’s all because of the integer calculations and the modulus. Another thing you need to know about Elliptic curves, is the notion of “point addition“. It is defined as adding one point P to another point Q will lead to a point S such that if you draw a line from P to Q, it will intersect the curve on a third point R which is the negative value of S (remember that the curve is symmetric on the X axis). In this case, we define R = -S to represent the symmetrical point of R on the X axis. This is easier to illustrate with an image : So you can see a curve of the form y^2 = x^3 + ax + b (where a = -4 and b = 0), which is symmetric on the X axis, and where P+Q is the symmetrical point through X of the point R which is the third intersection of a line going from P to Q. In the same manner, if you do P + P,  it will be the symmetrical point of R which is the intersection of the line that is a tangent to the point P.. And P + P + P is the addition between the resulting point of P+P with the point P since P + P + P can be written as (P+P) + P.. This defines the “point multiplication” where k*P is the addition of the point P to itself k times… here are two examples showing this :  

Here, you can see two elliptic curves, and a point P from which you draw the tangent, it intersects the curve with a third point, and its symmetric point it 2P, then from there, you draw a line from 2P and P and it will intersect the curve, and the symmetrical point is 3P. etc… you can keep doing that for the point multiplication. You can also already guess why you need to take the symmetric point of R when doing the addition, otherwise, multiple additions of the same point will always give the same line and the same three intersections.

One particularity of this point multiplication is that if you have a point R = k*P, where you know R and you know P, there is no way to find out what the value of ‘k‘ is. Since there is no point subtraction or point division, you cannot just resolve k = R/P. Also, since you could be doing millions of  point additions, you will just end up on another point on the curve, and you’d have no way of knowing “how” you got there. You can’t reverse this operation, and you can’t find the value ‘k‘ which was multiplied with your point P to give you the resulting point R.

This thing where you can’t find the multiplicand even when you know the original and destination points is the whole basis of the security behind the ECDSA algorithm, and the principle is called a “trap door function“.

Now that we’ve handled the “basics”, let’s talk about the actual ECDSA signature algorithm. For ECDSA, you first need to know your curve parameters, those are a, b, p, N and G. You already know that ‘a‘ and ‘b‘ are the parameters of the curve function (y^2 = x^3 + ax + b), that ‘p‘ is the prime modulus,  and that ‘N‘ is the number of points of the curve, but there is also ‘G‘ that is needed for ECDSA, and it represents a ‘reference point’ or a point of origin if you prefer. Those curve parameters are important and without knowing them, you obviously can’t sign or verify a signature. Yes, verifying a signature isn’t just about knowing the public key, you also need to know the curve parameters for which this public key is derived from.

So first of all, you will have a private and a public key.. the private key is a random number (of 20 bytes) that is generated, and the public key is a point on the curve generated from the point multiplication of G with the private key. We set ‘dA‘ as the private key (random number) and ‘Qa‘ as the public key (a point), so we have : Qa = dA * G (where G is the point of reference in the curve parameters).

So how do you sign a file/message ? First, you need to know that the signature is 40 bytes and is represented by two values of 20 bytes each, the first one is called R and the second one is called S.. so the pair (R, S) together is your ECDSA signature.. now here’s how you can create those two values in order to sign a file.. first you must generate a random value ‘k‘ (of 20 byes), and use point multiplication to calculate the point P=k*G. That point’s x value will represent ‘R‘. Since the point on the curve P is represented by its (x, y) coordinates (each being 20 bytes long), you only need the ‘x‘ value (20 bytes) for the signature, and that value will be called ‘R‘. Now all you need is the ‘S‘ value.

To calculate S, you must make a SHA1 hash of the message, this gives you a 20 bytes value that you will consider as a very huge integer number and we’ll call it ‘z‘. Now you can calculate S using the equation :

S = k^-1 (z + dA * R) mod p

Note here the k^-1 which is the ‘modular multiplicative inverse‘ of k… it’s basically the inverse of k, but since we are dealing with integer numbers, then that’s not possible, so it’s a number such that (k^-1 * k ) mod p is equal to 1. And again, I remind you that k is the random number used to generate R, z is the hash of the message to sign, dA is the private key and R is the x coordinate of k*G (where G is the point of origin of the curve parameters).

Now that you have your signature, you want to verify it, it’s also quite simple, and you only need the public key (and curve parameters of course) to do that. You use this equation to calculate a point P :

P=  S^-1*z*G + S^-1 * R * Qa

If the x coordinate of the point P is equal to R, that means that the signature is valid, otherwise it’s not.

Pretty simple, huh? now let’s see why and how… and this is going to require some mathematics to verify :

We have :

P = S^-1*z*G + S^-1 * R *Qa

but Qa = dA*G, so:

P = S^-1*z*G + S^-1 * R * dA*G = S^-1 (z + dA* R) * G

But the x coordinate of P must match R and R is the x coordinate of k * G, which means that :

k*G = S^-1 (z + dA * R) *G

we can simplify by removing G which gives us :

k = S^-1(z + dA * R)

by inverting k and S, we get :

S = k^-1 (z + dA *R)

and that is the equation used to generate the signature.. so it matches, and that is the reason why you can verify the signature with it.

You can note that you need both ‘k‘ (random number) and ‘dA‘ (the private key) in order to calculate S, but you only need R and Qa (public key) to validate the signature. And since R=k*G and Qa = dA*G and because of the trap door function in the ECDSA point multiplication (explained above), we cannot calculate dA or k from knowing Qa and R, this makes the ECDSA algorithm secure, there is no way of finding the private keys, and there is no way of faking a signature without knowing the private key.

The ECDSA algorithm is used everywhere and has not been cracked and it is a vital part of most of today’s security.

Now I’ll discuss on how and why the ECDSA signatures that Sony  used in the PS3 were faulty and how it allowed us to gain access to their private key.

So you remember the equations needed to generate a signature.. R = k*G and S= k^-1(z + dA*R) mod p.. well this equation’s strength is in the fact that you have one equation with two unknowns (k and dA) so there is no way to determine either one of those. However, the security of the algorithm is based on its implementation and it’s important to make sure that ‘k‘ is randomly generated and that there is no way that someone can guess, calculate, or use a timing attack or any other type of attack in order to find the random value ‘k‘. But Sony made a huge mistake in their implementation, they used the same value for ‘k‘ everywhere, which means that if you have two signatures, both with the same k, then they will both have the same R value, and it means that you can calculate k using two S signatures of two files with hashes z and z’ and signatures S and S’ respectively :

S – S’ = k^-1 (z + dA*R) – k^-1 (z’ + da*R) = k^-1 (z + da*R – z’ -dA*R) = k^-1 (z – z’)

So : k = (z – z’) / (S – S’)

Once you know k, then the equation  for S because one equation with one unknown and is then easily resolved for dA :

dA = (S*k – z) / R

Once you know the private key dA, you can now sign your files and the PS3 will recognize it as an authentic file signed by Sony. This is why it’s important to make sure that the random number used for generating the signature is actually “cryptographically random”.  This is also the reason why it is impossible to have a custom firmware above 3.56, simply because since the 3.56 version, Sony have fixed their ECDSA algorithm implementation and used new keys for which it is impossible to find the private key.. if there was a way to find that key, then the security of every computer, website, system may be compromised since a lot of systems are relying on ECDSA for their security, and it is impossible to crack.

Finally! I hope this makes the whole algorithm clearer to many of you.. I know that this is still very complicated and hard to understand. I usually try to make things easy to understand for non technical people, but this algorithm is too complex to be able to explain in any simpler terms. After all that’s why I prefer to call it the MFET algorithm (Mathematics For Extra Terrestrials) 🙂

But if you are a developer or a mathematician or someone interested in learning about this because you want to help or simple gain knowledge, then I’m sure that this contains enough information for you to get started or to at least understand the concept behind this unknown beast called “ECDSA”.

That being said, I’d like to thank a few people who helped me understand all of this, one particularly who wishes to remain anonymous, as well as the many wikipedia pages I linked to throughout this article, and Avi Kak thanks to his paper explaining the mathematics behind ECDSA, and from which I have taken those graph images aboves.

P.s: In this article, I used ’20 bytes’ in my text to talk about the ECDSA signature because that’s what is usually used as it matches the SHA1 hash size of 20 bytes and that’s what the PS3 security uses, but the algorithm itself can be used with any size of numbers. There may be other inaccuracies in this article, but like I said, I’m not an expert, I just barely learned all of this in the past week.

158 thoughts on “How the ECDSA algorithm works

  1. Nice article very clear and easy to understand, a lot of people don’t understand the complexity of crypto algorithms but hopefully this will help. looks like its going to take a hardware hacker to rip out the keys

  2. Just wait for the 4.00JB you all pushing nd nagging is not helping, took time for 3.55 so jus wait for 4.00..
    Ps I’M EXITED TOO LOL

  3. It is possible to change a file with dumb data to make a sha-1 collision (2 different files with the same hash) this way you can use one signature to sign another file.
    Do you know how to do it?
    I will search here and send you the code
    Sha1 and md5 are not used anymore because of this finding…

    • It is “possible” but it needs to be bruteforced and i’s just as complicated and long as finding the private key directly (means it would take thousands of years on a super computer), so it’s not a solution.

  4. Really love the effort that you guys are putting into all this. I’m a huge fan.

    It might be a dumb question here as I don’t know much, but what if you try to modify the PS3 firmware files to not verify the signature instead of trying to replicate the algorithm.

  5. Makoman, if you break the sig, all the changes will be made in your pkgs what is much less dangerous than messing with the firmware code. There may be other reasons, but this one is my main concern.

  6. Hi,erm i know i should’nt ask you this,but this is kinda urgent for me.how is jb 4.0 progressing?because i am confusing whether to buy ps3 or xbox360,for some game reason,i choose ps3,but seems like it is unjailbreakable,so i dont know whether i should buy ps3 or not.thanks…

    • Choose the Xbox 360. OFW 3.66+ isn’t pirate-able, at most Homebrew-able.
      So if your decision point about buying ps3 or 360 is be able to play some games without buying them. buy a 360. (Better yet, buy a Gaming PC)

      • i got a lot of games in ps3,so i will buy ps3,and i believe kakaroto will solve the problem sooner or later…

  7. Hello Kakarot, his work is exceptional, for some time been following your articles and you’re really a fantastic guy, congratulations. Sorry for english I’m Brazilian. I am using a translator. I have a doubt and would like you to help me. Well that’s it, I have a PS3 FW 3.72 on this and I know the FW 3:56 onwards there is no release so far, right … I know that you are working hard to create for the CFW to serve the other FW. So my current situation in Stand-Alone if I upgrade to FW4.00 when you can unravel the mysteries of this algorithm (which we know you will) all the time until FW developed by Sony will be liable to customization?

  8. I’m sick and tired of people asking me every day “please update the status” or “why didn’t you update it in the last 2 hours” or “is the status correct ?” or “what does the letter I mean?” or “Why is that task still at 0%” or “why didn’t that task change today?”, etc…

    I thought I’d give you a status page so you can follow SILENTLY the progress, but all it did was flood me even more with people asking me questions all the time about it, so I’m taking it down, you don’t deserve to know wtf is happening or where we are in fixing all the issues (not ‘you’ specifically, but all those who can’t keep their mouth shut and need to fucking annoy me every hour). Sorry for the collateral damage.

    The current status is : IT”S BEING WORKED ON!!!! It will be release when it is ready, and asking me all the time about it IS NOT HELPING. I never answered anyone asking me about the status or when it will be released or all of that, so don’t try the “maybe he’ll answer me”, no I won’t, I just might block you instead.

    — KaKaRoTo

    THANK U EVER1 FOR ANNOYING KAKAROTO SO MUCH THAT HE TOCK IT DOWN :'(

    • well,i just wanna know whether 4.0 is jailbreakable or not.if yes,i buy choose ps3,if not,i will go for xbox360..i dont wanna stuck in the middle of nowhere.

        • dumb ass,this is what he said in twitter….yeah,it may never be complete and never released, I honestly don’t have the courage/energy to continue at this point.. :(i dont wanna risk,thats why i ask.i tried to be polite,you start this first.

        • Are u really that dumb….thats insulting..ok,back to the topic,assume i am dumb,is 4.0 jailbreakable?

          • @BROLY: Please don’t attack the other commenters!
            @josh: if you read the blog, you’d know your answer (not for now and no idea when it will be possible)

  9. Thanks you for your constant support to PS3 scene , I hope you are getting results within your hard work , I wish you the best and we all looking forward for your 4.0 cfw.

  10. Hi,
    first of all, great explanation. I’m not sure I got everything right:
    How would the curves look in this case? Since we’re using integer we only have defined values if x and y were integer. So we get some dots and the function would’t be continuous. We could calculate the tangent of point P using the derivation, but it’s not very probable to have an intersection. That would rule out more points, so it would be less than N/2 possible x coordinates (say M). They may be can calculated. I also think k<=M. Depending on M, k coul'd be calculated. But likely I got it all wrong…

    • Yeah, the curves would look like a discontinuous set of points, however, don’t forget we are using a 20 bytes integer value (49 digits in decimal) so it’s a huge curve, if you zoom out enough, then you wouldn’t notice anymore that it’s discontinuous.. also, if you look at the math behind it, you’ll realize that it will always give you an intersection with another point, Avi Kak’s Lecture14 explains the stuff pretty well.
      Also, I realized there was a mistake in the blog post, there are n possible x values, but each x gives 2 points (+/- sqrt) so that means there are 2*n points on the curve where 2*n = N (number of points). as for the value of N, it’s really huge… it’s 161 bits (since it would be 2*n where n is 160 bits)

  11. They fixed the ECDSA-Algo in 3.56. Alright but the Applications made for 3.55 are still working. So we could use the old algo (with the fixed random number), calculate the old key, resign using the fixed random number and the ps3 should accept it just like any old game O.o

    Or am i missing something?

    • yea u missed the fact that the new games eboots are signed with new keys, and to resign the eboot, you need to know the new keys in order to decrypt the eboot and thn resign it, ofcourse if u have the new keys its pointless to even resign em.

      • Why do we need to resign them with the new keys? We would only need that to enable Piracy and since Piracy is a bad thing we dont need to resign them.

        (This Blogentry & My Reply is not about enable new games to run on older firmwares!)

        • Yeah, what you missed is that the old games (for firmware 1.0 even) *always* had two signatures, not just one.. they were just stupid enough to have a bug in firmware 3.55 that didn’t check for that second signature. We have one of the two keys for signing old games, so we’re still stuck

          • Alright, so thats like we can fake the sign on the paper but not the seal on the envelope?

          • no.. it’s more like you want to fake a signature on a check, but you can’t fake the signature on the paper because the bank compares it with the original… so the idea is to simply change the original that the bank compares it to so it think it’s good, but it’s in a vault and you don’t have access to the bank’s vault.

          • Perdoe minha ignorância,mas é possível calcular a segunda chave,a partir da falha de segurança da FW3.55 ?Parabens pelo seu esforço,tenho certeza que vai ser para voce + ou – como foi para mim fechar o Ninja Gaiden na dificuldade Master Ninja,parecia que ia ser impossivel,mas fechei…Thank you brother !!!

  12. Hey KaKaRoTo, awesome work you’re doing on cracking this thing, please keep on doing this and working hard on it, don’t listen to the haters, they’re just impatient and can’t wait for something that they’re getting for free, i don’t think they know the saying, “Don’t bite the hand that feeds you.”, good work dude!

  13. I get the just of that but my head relly fuking hurts pahahaha i sat here for 2hrs tryna get my head around that.

    Good Work man.
    Your almost there
    🙂
    😀

  14. “if there was a way to find that key, then the security of every computer, website, system may be compromised since a lot of systems are relying on ECDSA for their security”

    Not really. Most of the security today is based on RSA, not ECDSA, which are two different beasts.

  15. I AM BRAZILIAN AND WOULD LIKE TO LEAVE A COMMENT … THAT USERS MAY APPEAR HERE, MAKING COMMENTS DISCOURAGEMENT OR WANTING TO TAKE THE FOCUS. THIS IS NORMAL AND WE MUST LEARN TO FILTER! … BE EMPLOYEES OF SONY, TRYING TO DESTABILIZE. STRENGTH, COURAGE, AS SOON AS THE CFW 4.0 …. KAKAROTO WILL BE MAKING HISTORY. YOUR NAME WILL BE REMEMBERED FOR YEARS …. HOW WILL SMITH IN …. “THE LEGEND”. CONGRATULATIONS AND DO NOT GIVE UP BECAUSE IF A MAN MADE A MAN CAN UNDO.

  16. kakaroto, nice job and keep it up. however, giving the complexity and robustness of the algo, I wonder, how hard would it be to bruteforce the solution? if you can somehow make this into a project with distributed computing, like the folding@home, rosetta and the like, maybe bruteforcing a solution wouldnt take that long. is that legal? is it feasible? because am betting you would have millions of ps3 munching this away for you.

  17. just a short Q, y not instead of trying to make new cfw/jb with higher firmwares why not recreate a whole ps3 fw with ur own codes etc then encrypt/decrypt game eboots with ur fw/but u cant change the keys/codes on newer eboots right, so why not find out how the eboot actualy works then make new eboots to work with the game and FW . (maybe u guy thought of this or its to hard “inpossible idk guide me) hemi11p

  18. just a short Q. y not instead of trying to make new cfw/jb with higher firmwares, recreate ur the entire firmware to ur own codes/keys/hashes etc. then encrypt/decrypt the newer game eboots with ur codes/keys/hashes, BUT if we could do that we would just encrypt/decrypt the games to 3.55 right. so why not learn/find out how the eboots fully work then recreate the whole eboot to ur fw codes/keys/hashes that should work? well in my head it sounds very difficult to do but what bought you dude, hemi

  19. Just a couple of questions to see if I’m missing something. Can lines be tangent to a point? I think they can only be tangent to a point on a curve. Unless that is what you meant? Also, since we are dealing with integer numbers then how can the concept of tangent lines apply? The set of integer numbers is not continuous and is, therefore, not differentiable no matter how you scale them.

    In the graph for “y^2 = x^3 – 4x + 2”, your point P appears to be , but 2P appears to be graphed as , which is certainly not + . I see similar things for the other graphs. Could you please clarify?

    Thank you for your time.

  20. if the private key is a dead end ,
    how about the per_console_root_key_0?
    metldr and bootldr is decrypted with this key.

  21. Pingback: This should be addressed cfw is Impossible over 3.56 so stop asking about it « Ps3 « ConsoleXXX.com

Comments are closed.