Skip to main content

Try it Live

Run Signature examples in the interactive playground
Conceptual Guide - For API reference and method documentation, see Signature API.
ECDSA signatures provide cryptographic proof that a message was authorized by the holder of a specific private key. This guide teaches signature fundamentals using Tevm.

What are ECDSA Signatures?

ECDSA (Elliptic Curve Digital Signature Algorithm) is a cryptographic signature scheme that proves message authenticity without revealing the private key. Ethereum uses ECDSA for transaction authorization. Key properties:
  • Unforgeable - Only the private key holder can create valid signatures
  • Non-repudiable - Signer cannot deny creating a valid signature
  • Verifiable - Anyone can verify signature authenticity with the public key
  • Non-transferable - Signature cannot be reused for different messages

The secp256k1 Curve

Ethereum (like Bitcoin) uses the secp256k1 elliptic curve. This curve is defined by:
Where p is a large prime number (2^256 - 2^32 - 977). Parameters:
  • Private key - 32-byte random number (1 to n-1)
  • Public key - 64-byte uncompressed point (x, y) on the curve
  • Curve order (n) - Maximum valid scalar value

Signature Components

An ECDSA signature consists of three components: (r, s, v).

r and s (Signature Values)

  • r - X-coordinate of a random point on the curve (32 bytes)
  • s - Signature proof value (32 bytes)
Both are derived during the signing process using the private key and message hash.

v (Recovery ID)

  • v - Recovery identifier (1 byte, typically 27 or 28)
  • Enables public key recovery without providing the full public key
  • Ethereum standard: 27 for even y-coordinate, 28 for odd y-coordinate

Signing Process

Signing creates cryptographic proof that you authorized a message:

Signing Algorithm Steps

  1. Hash the message - Use keccak256 to produce 32-byte digest
  2. Generate random nonce (k) - Cryptographically random per signature
  3. Calculate curve point - R = k × G (where G is generator point)
  4. Extract r - r = R.x mod n (x-coordinate of R)
  5. Calculate s - s = k⁻¹ × (hash + r × privateKey) mod n
  6. Determine v - Recovery ID based on R.y parity

Verification Process

Verification proves a signature was created by the holder of a specific private key:

Verification Algorithm Steps

  1. Recover public key - Use (r, s, v) and message hash
  2. Derive address - Hash public key and take last 20 bytes
  3. Compare addresses - Check if recovered address matches expected signer

Complete Example: Sign and Verify

Here’s a complete workflow for signing a message and verifying the signature:

EIP-2098 Compact Signatures

EIP-2098 defines a compact 64-byte signature format by embedding the recovery ID into the s value’s highest bit. Standard format: 65 bytes (r: 32, s: 32, v: 1) EIP-2098 format: 64 bytes (r: 32, s with embedded v: 32)

When to Use EIP-2098

  • Smart contracts - Save gas when passing signatures as calldata
  • Storage - Reduce on-chain storage costs by 1 byte per signature
  • Batching - Significant savings when processing many signatures
See EIP-2098 for detailed usage patterns.

Signature Malleability

ECDSA signatures are malleable: both (r, s) and (r, -s mod n) are mathematically valid signatures for the same message. This can enable replay attacks if not handled properly.

The High-s Problem

Why Malleability Matters

Without normalization:
With normalization:

Canonical Signatures

Standards:
  • Bitcoin (BIP-62) - Requires canonical low-s signatures
  • Ethereum - Consensus rules enforce s ≤ secp256k1n/2
  • Best practice - Always normalize signatures before verification or storage

Common Use Cases

Transaction Signing

Every Ethereum transaction requires a signature:

Message Signing (personal_sign)

Sign arbitrary messages for authentication:

EIP-712 Typed Data Signing

Structured data signing for better UX:

Resources

Next Steps

  • Overview - Type definition and API reference
  • Constructors - Create signatures from various formats
  • Validation - Canonicalization and malleability prevention
  • Recovery - Recover public keys and addresses
  • EIP-2098 - Compact signature format
  • Secp256k1 - Signing and verification functions