I'm a complete newbie to ECC. but I was trying to get my feet wet with (what I thought would be) a TRIVIAL/EXTREMELY SIMPLE example of ECDSA signing and verification (that I could check by hand).
I'd appreciate any advice as to what I'm missing. Or have done wrong.
And if this is NOT an appropriate venue for this kind of question, I apologize, and would welcome any advice as to what group/forum would be a better choice.
E := y^2 = x^3 + 2 x + 2 mod 17
(this elliptic curve has 18 points, and any of the points on the curve can be the generator (G).. so I chose G = (5,1))
I chose an "ephemeral" key
k = 3
then
k G
= 3 (5,1)
= (10,6)
I chose
dA = 5
then
QA = dA G
= 5 (5,1)
= (9,16)
so A's private/public keys are
dA (= 5) and QA (= (9,16))
And finally, I chose an value for "e" (the hash of the message) of 8.
e = 8
SIGNING:
R = (rX,rY) = k G
= (10,6)
(r =) rx = 10
s = (e + dA r) k^-1 mon n
= (8 + 5 10) 3^15 mod 17
= (8 + 5 10) 6 mod 17
= 8
so the "signature" (for any message that hashes to e = 8) is
(r,s) = (10,8)
VERIFICATION:
w = s^-1 mod n
= 8^15 mod 17
= 15
u1 = e w mod n
= 8 15 mod 17
= 1
u2 = r w mod n
= 10 15 mod 17
= 14
P = (pX,pY) = u1 G + u2 QA
= 1 (5,1) + 14 (9,16)
= (5,1) + (16,4)
= (9,1)
And pX (9) SHOULD be equal to r (10). But, clearly, it's NOT.
What am I missing or doing wrong?
