Skip to main content

Try it Live

Run Signature examples in the interactive playground

Signature

Unified cryptographic signature primitive supporting multiple algorithms (secp256k1, P-256, Ed25519).
New to ECDSA signatures? Start with Fundamentals to learn about secp256k1, signature components (r, s, v), signing/verification, malleability prevention, and common use cases.

Overview

Signature provides algorithm-agnostic signature handling with automatic metadata tracking. Supports ECDSA (secp256k1, P-256) and EdDSA (Ed25519) with format conversions (compact, DER). Key Features:
  • Multi-algorithm support (secp256k1, P-256, Ed25519)
  • Format conversions (compact, DER, RSV)
  • Signature validation and canonicalization
  • Public key recovery (secp256k1 only)
  • Zero-copy operations where possible
  • WASM acceleration available

Documentation

Core Operations

  • constructors - Create signatures from components, DER, compact formats, or algorithm-specific constructors
  • conversions - Convert between signature formats: compact, DER, RSV, and raw bytes
  • validation - Validate signatures, check canonicality, and prevent malleability attacks
  • recovery - Recover public keys and addresses from secp256k1 signatures using recovery ID
  • utilities - Extract components, compare signatures, and type guards

Formats

  • formats - Compare signature formats: compact (64B), DER (variable), RSV, and EIP-2098
  • eip-2098 - Compact 64-byte format with embedded recovery ID for gas savings

Advanced

  • usage-patterns - Real-world examples: Ethereum transactions, EIP-712, personal_sign
  • wasm - WASM-accelerated signature operations for improved performance
  • branded-signature - Type definition and metadata structure

Signature Format Comparison

FormatSizeRecoveryUse Case
Compact64 bytes❌ NoStandard ECDSA storage
Compact+V65 bytes✅ YesEthereum transactions
DER~70-72 bytes❌ NoBitcoin, X.509 certificates
EIP-209864 bytes✅ Yes (embedded)Gas-optimized Ethereum
See Signature Formats for detailed comparison.

Quick Reference

Quick Start

Effect Schema

Security Considerations

Signature Malleability

ECDSA signatures are malleable: both (r, s) and (r, -s mod n) are valid. Always normalize to prevent attacks:
Standards:
  • Bitcoin BIP-62: Requires canonical low-s signatures
  • Ethereum: Enforces low-s in consensus rules
  • Best Practice: Always normalize before verification or storage

Recovery ID Validation

Replay Attack Prevention

Ethereum uses EIP-155 to prevent cross-chain replay attacks:

API Reference

Constructors

See Constructors for detailed documentation.
  • Signature.from(value) - Universal constructor
  • Signature.fromSecp256k1(r, s, v?) - secp256k1 ECDSA
  • Signature.fromP256(r, s) - P-256 ECDSA
  • Signature.fromEd25519(signature) - Ed25519
  • Signature.fromCompact(bytes, algorithm) - Compact format
  • Signature.fromDER(der, algorithm, v?) - DER encoding

Conversions

See Conversions for detailed documentation.
  • Signature.toBytes(signature) - Raw bytes (strips metadata)
  • Signature.toCompact(signature) - Compact format (64 or 65 bytes)
  • Signature.toDER(signature) - DER encoding (~70 bytes)

Validation

See Validation for detailed documentation.
  • Signature.isCanonical(signature) - Check if s ≤ n/2
  • Signature.normalize(signature) - Convert to canonical form

Component Extraction

See Utilities for detailed documentation.
  • Signature.getAlgorithm(signature) - Get algorithm
  • Signature.getR(signature) - Extract r component (32 bytes)
  • Signature.getS(signature) - Extract s component (32 bytes)
  • Signature.getV(signature) - Get recovery ID

Comparison

  • Signature.equals(a, b) - Compare signatures
  • Signature.is(value) - Type guard

Types

Constants

Errors

  • SignatureError - Base error class
  • InvalidSignatureLengthError - Invalid byte length
  • InvalidSignatureFormatError - Unsupported format
  • InvalidAlgorithmError - Invalid or unsupported algorithm
  • NonCanonicalSignatureError - Signature not canonical
  • InvalidDERError - DER encoding/decoding error

Structure

ECDSA (secp256k1, P-256)

Ed25519

Recovery ID (v)

  • 27: First recovery attempt (Ethereum standard)
  • 28: Second recovery attempt
  • Only applies to secp256k1
  • Not stored in signature bytes (metadata only)

Quick Start

Complete Example

External References