上一篇我们讲到了ECC的一个重要用途是数字签名关于ECC算法的一些理解,然而我发现自己对整个过程还不是特别理解。所以找到了一篇博客,里面详细讲解了ECDSA的工作原理。关于这篇英文blog我起初是在知乎看见了翻译版,作者很用心的给我们贴了原地址Understanding how ECDSA protects your data,在我看完了原文之后,我有被震惊到,严密的逻辑,地道的英语,渊博的知识,都是值得我学习的地方。因此借着这个机会,斗胆翻译一下(按照自己的理解来翻)
Everyone has probably heard of ECDSA in one form or another. Some people will better recognize it when I say "Digital signature", and some people will just have no idea what I'm talking about.
大概大家都听说过ECDSA,也许有些人在我说数字签名之后能更好的理解ECDSA,也有可能有些人根本不知道我在说些什么。
I once tried to understand how ECDSA works, but it's hard to figure it out because most reference documents online are insufficient. They are either too basic -- they only explain the basics of the algorithm and you're left wondering "how does it actually work?" -- or they are too advanced and completely skip over the basics which they assume you should already know. So you're struggling between "how does it really work" and "How did we get here?". So if you don't have a degree in Mathematics or Cryptography, but still want to understand how it actually works (other than "magic happens, and the signature is verified"), you're out of luck because there is no "ECDSA for newbies" anywhere.
当我尝试着去理解ECDSA是如何工作的时候,没有充足的参考文献让我弄清楚它。那些文章要么就太基础,只介绍那些最本质的原理让你去猜想“它到底是怎么运行的?”,要么就是太复杂,直接跳过那些专家们认为你本应该知道的原理。那么如果你也在“究竟是如何运行的”和“怎样我才能使用”之间挣扎,如果你在没有数学或者密码学学位的情况下想弄清楚它是怎样运行的,而不是感叹“一次签名,一个奇迹”,那么你很倒霉,因为目前还没有为初学者写的关于ECDSA的文章。
I decided to research ECDSA to better understand how it can protect my data and to understand how secure it actually is. After doing a lot of research and finally figuring it out, I decided to write an explanation of how ECDSA works, what the algorithm is, how a digital signature can be verified and how it's impossible to forge such a signature. Understanding all of that isn't trivial but I tried to explain the best I can while assuming as little as possible on the reader's knowledge and hopefully anyone can understand it now.
我决定研究ECDSA来更好的理解它是如何保护我的数据的,并且想看看它的安全性有多高。在做了大量的研究之后我终于搞清楚了,如何我决定写下这篇文章,阐述ECDSA是如何运行的,算法是什么样子的,签名过程是怎样验证的,还有就是为什么不能伪造签名。理解上述问题并不容易,但是我会尽最大努力描述出即便是没有基础的人也能听懂的知识,并且希望每个人都能看懂。
Step 1: What Is ECDSA?
第1部分:你需要理解什么是椭圆曲线数字签名算法
ECDSA stands for “Elliptic Curve Digital Signature Algorithm”, it’s used to create a digital signature of data (a file for example) in order to allow you to verify its authenticity without compromising its security. Think of it like a real signature, you can recognize someone’s signature, but you can’t forge it without others knowing. The difference however between an ECDSA signature and a real signature is that it's simply impossible to forge the ECDSA signature.
ECDSA的全称是“椭圆曲线数字签名算法”,用来在不破坏文件安全性的前提下给数据(比如说文件)签名。你可以把它想象成一个真实的签名的过程,你可以认出一些别人的签名,但是你没法在没有前提知识的情况下伪造签名。真实签名和ECDSA签名过程的区别就在于在ECDSA中基本上不可能伪造签名。
You shouldn't confuse ECDSA with AES (Advanced Encryption Standard) which is to encrypt the data. ECDSA does not encrypt or prevent someone from seeing or accessing your data, what it protects against though is making sure that the data was not tampered with.
你不能混淆ECDSA和AES(高级加密标准,对称密钥中最流行的算法之一),尽管AES也是用来加密数据的。然而,ECDSA并不是用来加密数据防止别人接入数据的,而是用来确保数据没有被篡改的。
Two words are worth noting here in "ECDSA" and that's "Curve" and "Algorithm" because it means that ECDSA is basically all about mathematics.. so I think it’s important to start by saying : “hey kids, don’t slack off at school, listen to your teachers, that stuff might be useful for you some day!” But these maths are fairly complicated, so while I’ll try to vulgarize it and make it understandable for non technical people, you will still probably need some knowledge in mathematics to understand it properly. I will do this in two parts, one that is a sort of high level explanation about how it works, and another where I dig deeper into its inner workings to complete your understanding. Note however that while I understand ECDSA fairly well now, I'm not an expert on the matter (my document here was however reviewed by someone who wrote a thesis about ECDSA and approved it as being accurate).
ECDSA中最重要的两个字母就是“C,Curve曲线”和“A,Algorithm算法”,因为这两个词意味着ECDSA最起码是一个算法。所以这时候我个人认为很有必要说的一句话是:“小朋友们,在学校可不要懈怠哦,要听老师的话,说不定这些知识点以后哪天就能用上哦!”但是这些数学知识实在是复杂,所以当我在尽可能的讲通俗一点让非专业人士也能听懂的时候,你也需要具备一些数学知识才能搞懂。接下来我将从两个部分讲解,一部分是高层次的解释说明它是如何运行的,另一部分是深入细致的解释来帮助你更好地理解。有必要说明的是,虽然我现在深刻的理解了ECDSA,但是我不是这方面的专家,不过我的文章是这个研究领域的专家审稿过的。
Step 2: Understanding the Basics
第二部分:理解基础
So the principle is simple, you have a mathematical equation which draws a curve on a graph, and you choose a random point on that curve and consider that your point of origin. Then you generate a random number, this is your private key, you do some magical mathematical equation using that random number and that “point of origin” and you get a second point on the curve, that’s your public key.
原理很简单,在一个能画出曲线的数学方程式中,你在曲线上选择一个随机点作为基点,然后生成一个随机数作私钥,利用这个随机数和基点做运算就能得到你的公钥。
When you want to sign a file, you will use this private key (the random number) with a hash of the file (a unique number to represent the file) into a magical equation and that will give you your signature. The signature itself is divided into two parts, called R and S. In order to verify that the signature is correct, you only need the public key (that point on the curve that was generated using the private key) and you put that into another magical equation with one part of the signature (S), and if it was signed correctly using the the private key, it will give you the other part of the signature (R). So to make it short, a signature consists of two numbers, R and S, and you use a private key to generate R and S, and if a mathematical equation using the public key and S gives you R, then the signature is valid. There is no way to know the private key or to create a signature using only the public key.
当你想要给一份文件签名的时候,你将用到你的私钥(也就是刚刚产生的随机数),对文件的哈希值(能唯一表示一份文件的数字)加密,代入方程就能得到你的签名。签名本身被分割成两个部分,一部分叫做R,另一部分称之为S。如果需要验证签名是否正确,你只需要用公钥(用私钥和基点计算得到的曲线上的点)带入等式就能得到签名的S部分,如果S是用私钥正确加密的,那么我们就能顺势计算出签名的另一部分R。简而言之,签名由R和S两部分组成,你用私钥签名得到R和S,如果能用正确的公钥计算出R然后计算出S,那么这个签名就是有效的。在整个过程中,你是没有办法知道私钥的,也没有办法仅仅用一个公钥来签名。
Step 3: Why Use ECDSA?
第3部分:为什么使用椭圆曲线数字签名算法?
Ok, you now know the basics. you probably didn't understand much, it's all complicated, public key, private key, what's all that ? Don't worry, I'll get to it soon enough, but first, a little explanation on why we use ECDSA and where it can be useful.
好的,我想你已经知道了上面的原理,或许你也不是特别理解,因为它实在是太复杂了。又是公钥,又是私钥,这都是些什么东西?不要着急,我接下来会解释的。不过在这之前,先让我简单说明一下我们为什么使用ECDSA,并且它在哪些地方管用呢?
Other than the obvious "I need to sign a contract/document", here's a very popular use case : let's take for example an application that doesn't want its data to be corrupted or modified by the users, like a game that only allows you to load official maps and prevents mods, or a phone or other kind of device that only allows you to install official applications.
除了最明显的使用场景:“我需要给一份文件签名”,我们还要另一个例子:我们并不希望看到数据被用户修改或者破坏,在一个游戏中我们只允许玩家下载官方地图和当前模式,又或者说一部手机或者一台设备只能从官方渠道下载官方应用。
In those case, the files (the apps, the game maps, the data) will be signed with the ECDSA signature, the public key will be bundled with the application/game/device and verifies the signature to make sure the data has not been modified, while the private key is kept under lock in a safe somewhere. Since you can verify the signature with the public key, but you can't create/forge a new signature with it, then the public key can be distributed with the application/game/device without any worries.
在上述场景中,文件(包括应用,游戏地图,数据等等)需要用ECDSA来签名,公钥和应用/游戏/设备捆绑在一起用来签名,确保数据没有被修改,而私钥被安全的存储起来。你可以使用公钥来验证签名,但是做不到伪造一个新签名,这样你就能毫无顾虑的将公钥分发给各个应用/游戏/设备。
This is contrasted with the AES encryption system which allows you to encrypt the data but you will need the key to decrypt and such an application would need to bundle the key which defeats the purpose.
这和AES加密系统完全相反,在AES中,你可以加密数据,但是被加密的数据需要密钥才能解密,在这种情况下就需要将应用和密钥进行绑定,从而违背了初衷。
A good example is the Playstation 3 console which was broken wide open and all its files can be decrypted and all the keys within the PS3 files can be extracted but the one thing that remains to be broken on it is an ECDSA signature which prevents anyone from making applications run on the latest firmwares.
一个很好的例子就是PS3的控制台,它被大量的破解,几乎所有文件都能被解密,所有PS3的文件中都能提取出密钥。但是,一个保持到现在的事实是,你需要破解一个ECDSA签名才能在最新的固件上面运行程序。
Step 4: Basic Mathematics and Binary
第4部分:数学原理和二进制
Alright, now for the more in depth understanding, I suggest you take an aspirin right now as this might hurt!
好的,为了更深入的理解,个人建议现在来点阿司匹林以防等会儿小心脏受不了。
Let’s start with the basics (which may be boring for people who know about it, but is mandatory for those who don’t) : ECDSA uses only integer mathematics, there are no floating points (this means possible values are 1, 2, 3, etc.. but not 1.5, 2.5, etc..), also, the range of the numbers is bound by how many bits are used in the signature (more bits means higher numbers, means more security as it becomes harder to ‘guess’ the critical numbers used in the equation), as you should know, computers use ‘bits’ to represent data, a bit is a ‘digit’ in binary notation (0 and 1) and 8 bits represent one byte. Every time you add one bit, the maximum number that can be represented doubles, with 4 bits you can represent values 0 to 15 (for a total of 16 possible values), with 5 bits, you can represent 32 values, with 6 bits, you can represent 64 values, etc.. one byte (8 bits) can represent 256 values, and 32 bits can represent 4294967296 values (4 Giga).. Usually ECDSA will use 160 bits total, so that makes… well, a very huge number with 49 digits in it…
那我们从最基础的开始吧!也许对这方面有过了解的人会觉得很枯燥,但是这部分对不了解的人来说还是很有必要的。ECDSA只用到了整数运算,并没有浮点计算,这就意味着里面可能出现的数据只有1, 2, 3等等,绝不会出现1.5, 2.5这些。并且,整数的取值范围取决于签名中的位数,比特越多数字就越大,也就意味着越安全,要猜出等式中的数据也就越困难。你还要知道,计算机中用比特来表示数据,1比特就是二进制中的1位,二进制中只有0和1,8比特就是1个字节。在一个数据中,每增加1比特,能表示的最大数值就会翻倍。用4比特就是表示0-15中所有的16个数据,5比特能表示32个数据,6比特能表示64个数据,以此类推。1个字节能表示256个数据,32比特能表示4294967296个数据,差不多4G。通常ECDSA使用的是160比特,相当于...一个非常大的数,由49个数字组成那么大。
Another mathematical construct you need to know is the modulus, which can be simplified by saying it's the rest of a division of integers. So for example, x mod 10 means the rest of the division of x by 10, which will always be a number between 0 and 9, so 142 mod 10 gives 2 for example. Another example, would be x mod 2which gives 0 for even numbers and 1 for odd numbers.
另一个你需要掌握的数学知识是模运算,可以简单的被理解为余数运算。举个栗子,x mod 10可以理解为x除以10以后的余数,这个余数一定是0到9之间的一个数,再举个栗子,142 mod 10的结果就是2。那么在二进制中,x mod 2的结果要么是0要么是1,偶数为0,奇数为1。
Step 5: The Hash
第5部分:关于哈希运算
ECDSA is used with a SHA1cryptographic hash of the message to sign (the file). A hash is simply another mathematical equation that you apply on every byte of data which will give you a number that is unique to your data. Like for example, the sum of the values of all bytes may be considered a very dumb hash function. So if anything changes in the message (the file) then the hash will be completely different. In the case of the SHA1 hash algorithm, it will always be 20 bytes (160 bits). It’s very useful in order to validate that a file has not been modified or corrupted, you get the 20 bytes hash for a file of any size, and you can easily recalculate that hash to make sure it matches. What ECDSA signs is actually that hash, so if the data changes, the hash changes, and the signature isn’t valid anymore.
ECDSA用SHA1对消息生成摘要然后签名,哈希是一个数学等式,用在每个字节中,能为你的数据提供唯一的哈希值。举个栗子,所有字节的数据的和就可以被看作是一个简单的哈希函数,文件里面任何一个数据的改动都会引起整个哈希值的变化。在SHA1算法中,哈希值结果通常有20字节(也就是160位),在验证文件是否被修改或者被破坏这方面非常管用,任意大小文件的哈希值都是20字节,而你可以很容易的验算哈希值是否匹配。所以,如果使用ECDSA对哈希值进行签名,一旦数据发生了变化,哈希值就会改变,也就意味着签名会失效。
Let's use an example to make it easier to understand. We'll use the simplest (and dumbest) hash function possible in which we make the sum of all the data and use a modulus 10 on the result.
举个例子来更好的理解,用最近简单的哈希运算,将所有数据的和再除以10取余的结果作为哈希值。
First of all, you must understand that all data will be interpreted as a number. A text file is a series of bytes, which, as we explained earlier represents 8 bits, meaning it can represent a number between 0 and 255. So if we take each byte as a number and add each byte of the file, then we do a modulus by 10 of the result, we'll end up with a number between 0 and 9 as the resulting hash. We'll always get the same hash for the same data, and if you change a byte in the file, the result may be different. Of course, you'll also understand that it would be very easy to change the file in order to get the same hash since there are only 10 possibilities (0 to 9), then there is a one in 10 chances of getting the same hash by changing the content of the file.
首先,你要搞清楚,所有的数据都用整数来表示。一个文档是一串字节,也就是我在早先解释过的8字节,也就是说能表示0-255之间的所有数。这样的话,如果我们将每个字节作为一个数,然后将每个字节的文件加起来,再做模10运算,我们就可以得到一串0-9组成的数据作为最终的哈希运算值,如果改变文件中的任意字节,都会导致最终的哈希值发生变化。当然,这种情况下非常容易篡改文件并且得到相同的哈希值,因为只有0-9这10种可能,也就是说有1/10的概率是你改变了文件的内容但是能得到相同的哈希值。
That's where SHA1 comes into play, the SHA1 algorithm is much much more complex than our simple "modulus 10" hash function, it will give an extremely huge number (160 bits, so a number with 49 digits in decimal) and it has the particularity to change radically if a single bit of data is modified from the file.
这时候SHA1就出场了,SHA1的计算方式比我们刚刚举例的模式运算更复杂,它的模数是一个很大很大的数,有160位,在我们日常使用的十进制中有49个数字。即便是文件中单个位的细微变化都会引起哈希值的显著改变。
This makes SHA1 a very good hashing algorithm that is unpredictable which is very secure and with very little chances of getting a 'collision' (when two different files have the same hash) and makes it practically impossible to forge data to get a specific hash.
这个不可预测的特性就使得SHA1是一个非常好的哈希算法,产生碰撞的概率非常小,也就是非常安全,通过伪造数据得到特定的哈希值基本上是不可能的。碰撞的意思是,两个不同的文件经过哈希运算之后得到相同的哈希值。
Step 6: The ECDSA Equation
第6部分:ECDSA方程
Now, how does it work? Well Elliptic Curve cryptographyis based on an equation of the form :y^2 = (x^3 + a * x + b) mod p First thing you notice is that there is a modulo and that the ‘y‘ is squared (don't forget this is the equation of a curve on a graph). This means that for any x coordinate (don't forget as well that we're only working with integers), you will have two values of y and that the curve is symmetric on the X axis. The modulo is a primer number and makes sure that all the values are within our range of 160 bits and it allows the use of “modular square root” and “modular multiplicative inverse” mathematics which make calculating stuff easier. Since we have a modulo (p) , it means that the possible values of y^2 are between 0 and p-1, which gives us p total possible values. However, since we are dealing with integers, only a smaller subset of those values will be a “perfect square” (the square value of two integers), which gives us N possible points on the curve where N < p (N being the number of perfect squares between 0 and p). You're following me so far? :)
它究竟是如何运行的,ECC是基于这样一个方程式,y^2 = (x^3 + a * x + b) mod p 首先你要注意的是这是一个求模运算,y是经过平方运算的,别忘了这是一条曲线。对于任意x都有两种y取值,因为图像是关于x轴对称的,不过别忘了前面说过x和y的取值都必须是整数。模数p取的是一个大素数,这样才能确保160位能有对应的取值,能使用“模平方根”和“模的乘法逆元”运算使计算量更小。因为等式右边的计算取的模数是p,那就说明y^2的取值在0到p-1中间,也就是说有p种可能取值。然而,如果y的取值只能是整数的情况下,只有一部分数能满足“完全平方”,0到p-1中只有N(N<p)能满足完全平方。你还能跟上我的节奏吗?
Since each x will yield two points (positive and negative values of the square-root of y^2), this means that there are N/2 possible ‘x‘ coordinates that are valid and that give a point on the curve. So this elliptic curve has a finite number of points on it, and it’s all because of the integer calculations and the modulus.
每个x都会产生两个y,一个正根,一个负根,这就意味着有N/2的x是有效的,并且能在曲线中找到相应的点。因为整数运算和求模运算,我们可以在曲线上找到无数个点。
Ouff, that was hard! Let's summarize before we move on. The ECDSA equation gives us a curve with a finite number of valid points on it (N) because the Y axis is bound by the modulus (p) and needs to be a perfect square (y^2) with a symmetry on the X axis. We have a total of N/2 possible, valid x coordinates without forgetting that N < p.
天呐,实在是太难了。让我们来总结一下刚刚的内容,ECDSA方程给出了一条曲线,曲线上面有无数(N)个有效点,因为y坐标的取值结果的范围是经过求模运算得到的,并且还需要满足完全平方,关于x轴对称。一个方程中可能有N/2个有效的x,当然,N是小于p的。
Step 7: Point Addition
第7部分:点的加法运算
Another thing you need to know about Elliptic curve, is the notion of “point addition”. It is defined as adding one point P to another point Q will lead to a point S such that if you draw a line from P to Q, it will intersect the curve on a third point R which is the negative value of S (remember that the curve is symmetric on the X axis). In this case, we define R = -S to represent the symmetrical point of R on the X axis.This is easier to illustrate with an image, so look at the above image.
另一个你需要知道的就是椭圆曲线中关于点的加法的运算法则,它的定义是这样的,一个点P加上另一个点Q得到的结果是S,如果你在曲线中画一条从P到Q的直线,会与椭圆曲线相交于第三个点R,由R得到P+Q最终的结果S。因为椭圆曲线是关于x轴对称的,我们取R的y轴的负值得到的就是S,在这个例子中,我们定义R=-S来表示R关于x轴的对称点S,看看上面的图片就很容易解释了。
So you can see a curve of the form y^2 = x^3 + ax + b (where a = -4 and b = 0), which is symmetric on the X axis, and where P+Q is the symmetrical point through X of the point R which is the third intersection of a line going from P to Q.
如果你看到一条曲线y^2 = x^3 + ax + b中a = -4, b = 0,也是关于x轴对称的,P+Q是R关于x轴上的对称点,且R是P到Q的直线与曲线的交点。
Step 8: Point Multiplication
第8部分:点的数乘运算
In the same manner, if you do P + P, it will be the symmetrical point of R which is the intersection of the line that is a tangent to the point P.. And P + P + P is the addition between the resulting point of P+P with the point P since P + P + P can be written as (P+P) + P.. This defines the "point multiplication" where k*P is the addition of the point P to itself k times… Look at the two images above for examples of the point multiplication.
同样的方式,如果你需要计算P+P,那么结果就就是P的切线交于椭圆曲线的点关于x轴的对称点。那么P+P+P就是P+P的点再加上P,因为椭圆曲线加法满足P+P+P=(P+P)+P。所以椭圆曲线乘法的定义就是k*P的结果就是P点与自己相加k次,结合上下两张图片理解一下。
Here, you can see two elliptic curves, and a point P from which you draw the tangent, it intersects the curve with a third point, and its symmetric point is 2P, then from there, you draw a line from 2P and P and it will intersect the curve, and the symmetrical point is 3P. etc… you can keep doing that for the point multiplication. You can also already guess why you need to take the symmetric point of R when doing the addition, otherwise, multiple additions of the same point will always give the same line and the same three intersections.
现在你能看到两条椭圆曲线,沿着P点画一条切线,会与椭圆曲线相交于第三点,它的对称点就是2P。同样,连接2P和P交椭圆曲线于另一点,其对称点就是3P...以此类推。如果你一直做乘法运算,你早就能猜到为什么在做加法时要取交点的对称点了,因为不这样的话,同一个点做多次加法运算的话会得到同一条曲线并交于同一个第三点。
Step 9: The Trap Door Function!
第9部分:陷门函数
One particularity of this point multiplication is that if you have a point R = k*P, where you know R and you know P, there is no way to find out what the value of ‘k‘ is. Since there is no point subtraction or point division, you cannot just resolve k = R/P. Also, since you could be doing millions of point additions, you will just end up on another point on the curve, and you’d have no way of knowing “how” you got there. You can’t reverse this operation, and you can’t find the value 'k' which was multiplied with your point P to give you the resulting point R.
椭圆曲线的另一个特别之处就是你知道R = k*P ,你也知道R和P,但是你还是没有办法计算出k值。因为椭圆曲线中没有除法运算,你不能简单粗暴的通过k = R/P来计算k值。你也可以做无数次的加法运算,最终会得到椭圆曲线上的一个点,但其实最终你是不知道怎么得到这个结果的。你不能进行逆过程,也找不到k使得P点运算k次加法得到最终结果R。
This thing where you can’t find the multiplicand even when you know the original and destination points is the whole basis of the security behind the ECDSA algorithm, and the principle is called a "trap door function".
像这样,即便是你知道起点P和终点R,你也找不到乘数k,这就是ECDSA背后的安全性算法,这个准则就叫“陷门函数”。
Step 10: The ECDSA Algorithm
第10部分:ECDSA算法
Now that we’ve handled the “basics”, let’s talk about the actual ECDSA signature algorithm.
那么刚刚我们已经掌握了所有的基础,现在我们开始真正意义上讨论ECDSA数字签名算法了。
For ECDSA, you first need to know your curve parameters, those are a, b, p, N and G. You already know that ‘a‘ and ‘b‘ are the parameters of the curve function (y^2 = x^3 + ax + b), that ‘p‘ is the prime modulus, and that ‘N‘ is the number of points of the curve, but there is also ‘G‘ that is needed for ECDSA, and it represents a ‘reference point’ or a point of origin if you prefer. The reference point could be any point on the curve.
对于一条椭圆曲线,你先要设定好一些参数,有a,b,p,N和G。通过上面的解释,我想你早就知道了a和b了,y^2 = x^3 + ax + b通过a,b可以唯一确定一条椭圆曲线。p是求模运算的底,N是椭圆曲线上能进行整数运算的点的个数。G也是很有必要设置的一个点,它是一条椭圆曲线的基点,可以选择任意点作为基点。
Those curve parameters are important and without knowing them, you obviously can’t sign or verify a signature. Yes, verifying a signature isn’t just about knowing the public key, you also need to know the curve parameters for which this public key is derived from. The NIST(National Institute of Standards and Technology) and SECG(Standards for Efficient Cryptography Group) offer pre-made and standardized curve parameters which are known to be secure and efficient.
这些参数都很重要,在不知道这些参数的情况下,你几乎不可能签名和验证签名。是的,验证签名不止需要公钥,你需要哪些参数来计算公钥。NIST(美国国家标准与技术研究院)与SECG(高效加密标准组织)提供了一些安全高效的经过预处理的椭圆曲线参数。
So first of all, you will have a private and a public key.. the private key is a random number (of 160 bits too) that is generated, and the public key is a point on the curve generated from the point multiplication of G with the private key. We set ‘dA‘ as the private key (random number) and ‘Qa‘ as the public key (a point), so we have : Qa = dA * G (where G is the point of reference in the curve parameters).
那么首先,你需要一个私钥和一个公钥,一般我们称之为公私钥对,私钥是一个160位的随机数,公钥是由私钥与椭圆曲线基点相乘得到的。我们假设随机产生的dA是私钥,点Qa做公钥,然后就能得到等式:Qa = dA * G ,G是椭圆曲线上的基点。
Step 11: Creating a Signature
第11部分:签名
So how do you sign a file/message ?
那么签名是如何产生的呢?
First, you need to know that the signature is 40 bytes and is represented by two values of 20 bytes each, the first one is called R and the second one is called S.. so the pair (R, S) together is your ECDSA signature.. now here’s how you can create those two values in order to sign a file.. first you must generate a random value ‘k‘ (of 20 byes), and use point multiplication to calculate the point P=k*G. That point’s x value will represent ‘R‘. Since the point on the curve P is represented by its (x, y) coordinates (each being 20 bytes long), you only need the ‘x‘ value (20 bytes) for the signature, and that value will be called ‘R‘. Now all you need is the ‘S‘ value.
首先你必须知道一个完整的签名是由40字节组成的,这个签名被均分成两个20字节,一部分我们姑且叫做R,另一部分称之为S,(R,S)就是一个完整的ECDSA签名了。接下来就说说如何产生R和S来给文件签名了,首先你需要产生一个20字节的随机数k,然后用数乘运算计算P=k*G,P点的x坐标就是签名的R部分。因为P点用坐标(x,y)表示,每个x或者y都是20字节,你只需要计算x值作为R就可以。接下来你要做的就是计算出S值,与R构成一个完整的签名。
To calculate S, you must make a SHA1 hash of the message, this gives you a 20 bytes value that you will consider as a very huge integer number and we’ll call it ‘z‘. Now you can calculate S using the equation : S = k^-1 (z + dA * R) mod p Note here the k^-1 which is the 'modular multiplicative inverse' of k… it’s basically the inverse of k, but since we are dealing with integer numbers, then that’s not possible, so it’s a number such that (k^-1 * k ) mod p is equal to 1. And again, I remind you that k is the random number used to generate R, z is the hash of the message to sign, dA is the private key and R is the x coordinate of k*G (where G is the point of origin of the curve parameters).
为了计算出S,我们要用到SHA1对消息生成摘要z,z是一个20字节的大整数,然后通过S = k^-1 (z + dA * R) mod p就可以计算出S。有必要说一下这个k^-1是k的求模运算的乘法逆元的意思。通常我们理解是k^-1是1/k的意思,但是前面我们提到过,椭圆曲线运算都是整数,如果求1/k就不现实,所以在求模运算中我们定义k^-1是(k^-1 * k ) mod p=1的数。再次重申,k是一个随机数能产生签名的R部分,z是消息的摘要,dA是私钥,R是P=kG计算出的点的x坐标,G是椭圆曲线的基点。
Step 12: Verifying the Signature
第12部分:验证签名
Now that you have your signature, you want to verify it, it’s also quite simple, and you only need the public key (and curve parameters of course) to do that. You use this equation to calculate a point P :P = S^-1*z*G + S^-1 * R * Qa If the x coordinate of the point P is equal to R, that means that the signature is valid, otherwise it’s not.
现在你已经拥有一个完整的签名(R,S)了,如果你想验证它,那也是非常简单的,只需要一份公钥就可以做到。当然椭圆曲线的参数也是必不可少的,通过下面的等式计算出P:P = S^-1*z*G + S^-1 * R * Qa。如果P的x坐标的值等于R,这就说明签名是有效的,反之不是。
Pretty simple, huh? now let’s see why and how… and this is going to require some mathematics to verify :We have :P = S^-1*z*G + S^-1 * R *Qa but Qa = dA*G, so:P = S^-1*z*G + S^-1 * R * dA*G = S^-1 (z + dA* R) * G But the x coordinate of P must match R and R is the x coordinate of k * G, which means that :k*G = S^-1 (z + dA * R) *G we can simplify by removing G which gives us :k = S^-1(z + dA * R) by inverting k and S, we get :S = k^-1 (z + dA *R) and that is the equation used to generate the signature.. so it matches, and that is the reason why you can verify the signature with that first equation above.
是不是看起来非常简单?让我们想想为什么这样就能验算出来,那么接下来我们用一些数学公式来推导一下。首先我们知道P = S^-1*z*G + S^-1 * R *Qa,同时又有Qa = dA*G,所以我们能得到P = S^-1*z*G + S^-1 * R * dA*G = S^-1 (z + dA* R) * G。另一方面,又因为R是P点的x坐标,而R又是k * G的x坐标。这就意味着k*G = S^-1 (z + dA * R) *G。我们可以将等式两边的G约去,就得到了k = S^-1(z + dA * R)。再将等式两边同时求逆运算,就会得到S = k^-1 (z + dA *R)。这就是产生签名的方程了,同时你也看到了,由R可以计算出S,也就是说由签名的前一部分R可以验证后一部分S。
Step 13: The Security of ECDSA
第十三部分:ECDSA的安全性
You can note that you need both ‘k‘ (random number) and ‘dA‘ (the private key) in order to calculate S, but you only need R and Qa (public key) to verify the signature. And since R=k*G and Qa = dA*G and because of the trap door function in the ECDSA point multiplication (explained in step 9), we cannot calculate dA or k from knowing Qa and R, this makes the ECDSA algorithm secure, there is no way of finding the private keys, and there is no way of faking a signature without knowing the private key.
也许你注意到了,计算S的时候用到了随机数k和私钥dA两个数,但是验证签名的时候只用到了P的x坐标R和公钥Qa,又因为R=k*G和Qa = dA*G,再加上之前我们在第九部分解释的ECDSA的陷门函数,如果在只知道Qa和R的情况下,是不可能计算出dA和k的,也就意味着不可能计算出私钥,没有私钥的话就更不可能伪造签名了。
Step 14: The Importance of a Random K
第14部分:随机数k的重要性
Let's discuss now how and why the ECDSA signatures that Sony used in the Playstation 3 were faulty and how it allowed hackers to gain access to the PS3's ECDSA private key.
现在我们探讨一下索尼出品的PS3哪里出了问题,为什么能让黑客找到ECDSA签名中的私钥。
So you remember the equations needed to generate a signature.. R = k*G and S= k^-1(z + dA*R) mod p.. well this equation’s strength is in the fact that you have one equation with two unknowns (k and dA) so there is no way to determine either one of those.
你可能还记得如何产生一个签名,R = k*G and S= k^-1(z + dA*R) mod p,这个等式的安全性建立在一个方程R = k*G and S= k^-1(z + dA*R) mod p两个未知数k和dA的基础上,所以是无解的。
However, the security of the algorithm is based on its implementation and it’s important to make sure that ‘k‘ is randomly generated and that there is no way that someone can guess, calculate, or use a timing attack or any other type of attack in order to find the random value ‘k‘. But Sony made a huge mistake in their implementation, they used the same value for ‘k‘ everywhere, which means that if you have two signatures, both with the same k, then they will both have the same R value, and it means that you can calculate k using two S signatures of two files with hashes z and z’ and signatures S and S’ respectively :S – S’ = k^-1 (z + dA*R) – k^-1 (z’ + da*R) = k^-1 (z + da*R – z’ -dA*R) = k^-1 (z – z’) So : k = (z – z’) / (S – S’) Once you know k, then the equation for S becomes one equation with one unknown and is then easily resolved for dA :dA = (S*k – z) / R Once you know the private key dA, you can now sign your files and the PS3 will recognize it as an authentic file signed by Sony. This is why it’s important to make sure that the random number used for generating the signature is actually “cryptographically random”. This is also the reason why it is impossible to have a custom firmware above 3.56, simply because since the 3.56 version, Sony have fixed their ECDSA algorithm implementation and used new keys for which it is now impossible to find the private key..
然而,算法的安全性还是基于实现的,确保随机数k不能被人猜中还是很有必要的,不仅不能被猜中、也不能通过计算得出,更不能通过其他手段攻击得到。索尼在产品设计中犯的大忌就是所有随机数都是用的同一个k,这就会出现这样一种情况,你用同一个k产生了两个签名得到了相同的R,S部分又z计算得出,两个S分别用S和S’表示,两次消息的摘要分别用z和z’表示。两个等式相减,S – S’ = k^-1 (z + dA*R) – k^-1 (z’ + da*R) = k^-1 (z + da*R – z’ -dA*R) = k^-1 (z – z’)所以,想要计算出k值,就非常简单,k = (z – z’) / (S – S’)。如果你成功计算出了k,计算S的等式就变成了只有一个未知数的方程,这样就能很简单的计算出dA = (S*k – z) / R。如果你知道了私钥dA,那么你现在就可以对你的文件签名并且PS3会认为你的签名是说你认证的文件的签名。这就说明了我们需要确保用于签名的随机数是“加密随机”的重要性,这也是为什么不能在3.56以上的版本自定义固件了,因为在3.56版的时候索尼已经修复了ECDSA签名的问题,每个私钥都使用不同的数使得攻击者不可能找到私钥。
Another example of this issue is when some bitcoin clients used a non-cryptographically random number generator (on some browsers and on some Android clients) which caused them to sign their transactions with the same 'k' value, and malicious people were able to find the private key of their bitcoin wallet and steal their funds.
另一个例子是比特币中客户端使用的是没有经过加密的随机数产生器,通常是一些浏览器和安卓客户端上,这就会导致他们在重复签名是会暴漏相同的k值,攻击者就可以顺着找到私钥,找到私钥以后就可以打开用户的比特币钱包然后偷走他们的钱。
This shows the importance of using a truly random number every time you make a signature, as you will expose the private key if the R value of the (R, S) signature pair is the same on two different signatures.
上面两个例子说明了签名时随机数的重要性,因为在签名(R,S)中两次不同的R值就可以计算出私钥。
A good joke about this is shown in xkcd comic 221(see image above) which became the go-to image to illustrate this issue. The image was often re-used whenever such an implementation error of the algorithm happened.
一个关于随机数的笑话,就是下面这张图片,这个取随机数的函数每次返回结果都是4,这张图片也经常被用来当作随机函数的负面教材。
The ECDSA algorithm is very secure for which it is impossible to find the private key... as long as the implementation is done correctly of course. If there was a way to find the private key, then the security of every computer, website, system may be compromised since a lot of systems are relying on ECDSA for their security, and it is impossible to crack.
ECDSA非常安全,因为你几乎不可能找到私钥,只要过程是正确的。如果你能找到私钥,那么几乎所有的计算机、网站、系统都会崩溃,因为绝大多数系统都是用ECDSA来保障安全,ECDSA不可能遭受攻击。
Step 15: Conclusion
第15部分:结论
Finally! I hope this makes the whole algorithm clearer to many of you.. I know that this is still very complicated and hard to understand. I usually try to make things easy to understand for non technical people, but this algorithm is too complex to be able to explain in any simpler terms.
最后,我希望你们都学懂了这个算法,尽管我知道它很复杂并且有点难以理解。我经常尝试着把一些事情简化,最好是能让外行的人也能听懂,但是这个算法实在是太复杂了,我也只能讲解到这个程度了。
But if you are a developer or a mathematician or someone interested in learning about this because you want to help or simple gain knowledge, then I’m sure that this contains enough information for you to get started or to at least understand the concept behind this unknown beast called “ECDSA”.
如果你是开发人员、数学专业的,或者是其他对这方面感兴趣的人,你想要帮助更多的人学习,使这些知识能更简单的理解的话,我确信上述内容已经足够你了解了,至少你能从完全不知道ECDSA是什么进化到现在了解了一些基础概念了。
That being said, I’d like to thank a few people who helped me understand all of this, one particularly who wishes to remain anonymous, as well as the many wikipedia pages I linked to throughout this article, and Avi Kak thanks to his paper explaining the mathematics behind ECDSA, and from which I have taken those graph images aboves.
虽然是这么说,但是我还是要感谢当初帮助我理解的人们,特别是一些做好事不留名的人,同时文章中我也链接了许多维基百科的页面,感谢Avi Kak教授在论文中阐述了ECDSA背后的数学原理,文中的一些图表就是取自教授的论文。
P.s: In this instructable, I used '160 bits' in my text to talk about the ECDSA signature because that’s what is usually used as it matches the SHA1 hash size of 160 bits (20 bytes) and that’s what the PS3 security uses, but the algorithm itself can be used with any size of numbers. There may be other inaccuracies in this article, but like I said, I’m not an expert and this was dumbed down as much as possible whichout removing any information about the algorithm.
声明:本篇是说明性的文章,在文章中,我说ECDSA是用160位的签名因为这是通常情况,SHA1的散列值大小刚好也是160位(20字节),也是PS3用的长度,但是ECDSA算法本身是可以使用任意长度大小的数字。可能文中还有一些不准确的地方,就如前面我声明过的,我不是专专家。算法在阐述的过程中尽量简化了,因为我想让更多人看懂,但是关于算法本身的东西我没有任何删减,因为我必须确保知识的正确性。
如有疑问可以移步至我的个人公众号取得联系!
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
