On the intuition behind ECDSA
July 4, 2026
I’m reading this blog post here, as well as the prerequesites, to rediscover ECDSA from first principles.
Why do we need anything more than ?
We’re building a digital signature algorithm. already proves knowledge of a secret that corresponds to .
is for signing, is for verifying. is a commitment to the value of .
Ok, is for signing, but signing what? We need to introduce , the message to sign.
Something like: , where
How to verify?
This is the beauty of ECC. We raise the scalars into curve points by multiplying with the generator: . With , we get: , which is all public information.
Because both and are public, is leaked 💀. This begs hiding .
We introduce a second secret , where . Now we have two secrets. It’s not possible to solve for with just the single equation. An attacker will need a second equation.
This prevents direct algebraic recovery from that single equation.
I’m writing because I’m not sure how to apply there yet.
Back to the beauty of ECC, raise scalars into curve points ✨.
Because we have two secrets on the right side of , we will have only one on that side for two secrets, the other secret will not be raised to its public commitment.
But we have on the left side too, that’s why needs to raise , we get: .
That’s equivalent to , all public information that the verifier verifies. The signature is
Why does ECDSA do more than ?
TBD.