Ethereum Signatures Explained in 5 Minutes
Below is a quick, 5-minute read explaining how Ethereum signatures work, broken down into the essential steps and concepts.
1. Private Keys and Public Addresses
Private Key
- A private key is a randomly generated 256-bit number (typically represented as a 64-character hexadecimal string).
- Keep it secret: anyone who has your private key can access your funds and represent you on the Ethereum network.
Public Key & Address
- The public key is derived from the private key using elliptic curve cryptography (specifically, the secp256k1 curve).
- Then, an Ethereum address is derived from the public key (the last 20 bytes of the keccak256 hash of the public key).
- This means each address is tied to a private key, which is used to sign messages and transactions.
2. The Role of Signatures in Ethereum
A signature in Ethereum proves two things:
- Ownership: You own the private key controlling a given address.
- Integrity: The data you signed has not been altered.
When you send a transaction or sign a message, your wallet uses your private key to create a digital signature. Anyone can then verify that signature using your public address— without seeing your private key.
Ethereum signatures use the Elliptic Curve Digital Signature Algorithm (ECDSA). Here’s a simplified overview of how a transaction or message is signed:
- Message Hashing:
- A transaction or message (the data to be signed) is hashed with the keccak256 algorithm.
- For human-readable strings, Ethereum’s
personal_sign adds a special prefix (“\x19Ethereum Signed Message:\n”) before hashing. This helps prevent replay attacks.
- ECDSA Math:
- The private key signs this hash, resulting in three parameters:
R, S, and V.
R and S are the core components from the ECDSA process, and V indicates the “recovery id” which helps in recreating the public key for verification.
- Signature Output:
- In Ethereum, the final signature is typically represented as a concatenation of
R, S, and V.
- This signature is sent along with the original data (or transaction).
4. Verifying a Signature
Off-chain Verification
- Anyone can take the original data (or transaction), hash it, then use the
R, S, and V signature values to recover the public key.
- Once the public key is recovered, it’s converted to an address. If that address matches the claimed signer, verification succeeds.
On-chain Verification
- In Solidity, you can use low-level EVM operations (
ecrecover) to verify an ECDSA signature.
ecrecover returns the address that signed the message if the signature is valid. Developers compare that address to the expected signer to confirm authenticity.
5. Common Use Cases
- Transaction Signing:
- Sending Ether or tokens requires signing a transaction with your private key.
- Once signed, a valid transaction can be broadcast to the network.
- Off-chain Messages:
- You can sign data like a “Login” request to prove you own a particular address—no password needed.
- This is often done through
personal_sign or EIP-712 (structured data).
- Smart Contract Interactions:
- Some smart contracts use signatures to validate actions or “meta-transactions,” allowing gasless or delegated transactions.
6. Bonus: EIP-712 (Typed Structured Data)
- EIP-712 is a standard for structured message signing in Ethereum. It defines a human-readable schema so that signers clearly see what they’re agreeing to.
- This helps prevent phishing attacks and improves user experience by showing exactly which fields are being signed.
In Summary
- Ethereum signatures rely on elliptic curve cryptography (ECDSA) to let you prove ownership of an address without revealing your private key.
- Messages are hashed, then signed to produce
R, S, V values. Anyone can verify these to confirm the signer’s identity.
- This concept is fundamental to both on-chain transactions and off-chain verifications (e.g., login without passwords).
- EIP-712 structured data improves usability and security by clarifying the data being signed.
That’s the essence! With a firm grasp of private keys, hashing, ECDSA, and verification, you now understand how Ethereum signatures secure and power the ecosystem—all in just 5 minutes.