Back to Notes

On the intuition behind ECDSA

July 4, 2026

I’m reading this blog post here, as well as the prerequesites, to rediscover ECDSA from first principles.

Why do we need anything more than P=p.GP = p.G?

We’re building a digital signature algorithm. P=p.GP = p.G already proves knowledge of a secret pp that corresponds to PP.

pp is for signing, PP is for verifying. PP is a commitment to the value of pp.

Ok, pp is for signing, but signing what? We need to introduce mm, the message to sign.

Something like: sig=p.msig = p.m, where P=p.GP = p.G

How to verify?

This is the beauty of ECC. We raise the scalars into curve points by multiplying with the generator: G.sig=G.p.mG.sig = G.p.m. With P=p.GP = p.G, we get: G.sig=P.mG.sig = P.m, which is all public information.

Because both sigsig and mm are public, pp is leaked 💀. This begs hiding pp.

We introduce a second secret qq, where Q=q.GQ = q.G. Now we have two secrets. It’s not possible to solve for pp with just the single sigsig equation. An attacker will need a second equation.

This prevents direct algebraic recovery from that single equation.

I’m writing sig=f(p,m,q)sig = f(p,m,q) because I’m not sure how to apply qq there yet.

Back to the beauty of ECC, raise scalars into curve points ✨.

Because we have two secrets on the right side of sig=f(p,m,q)sig=f(p,m,q), we will have only one GG on that side for two secrets, the other secret will not be raised to its public commitment.

But we have GG on the left side too, that’s why ff needs to raise q1q^{-1}, we get: G.q.sig=G.p.mG.q.sig = G.p.m.

That’s equivalent to Q.sig=P.mQ.sig = P.m, all public information that the verifier verifies. The signature is sig.q1=p.msig.q^{-1} = p.m

Why does ECDSA do more than sig.q1=p.msig.q^{-1} = p.m?

TBD.

Other notes

El Gamal introduced a DSA 5 years before Schnorr did.