[Openid-specs-ab] JWS/A : ECDSA signature byte length

John Bradley ve7jtb at ve7jtb.com
Mon May 28 14:38:29 UTC 2012


The Curve of the public key defines the length of r and s

P-160  EC key length = 160 bits , z hash SHA1, r & s = 160 bits,  equiv RSA 2048 bit key
P-256  EC key length = 256 bits , z hash SHA256, r & s = 256 bits, equiv RSA 3072 bit key
P-384  EC key length = 384 bits , z hash SHA384, r & s = 384 bits, equiv RSA 7680 bit key

For a SHA256 hash z is 32bytes.

Using the P-256 curve r and s both need to be 256 bits.

So the resulting "r | s" is 512 bits.

If you are using SHA384 then r and s are 48 octets each with the P-384 curve. 

Is that what you were looking for?   
In principal the bit-length of z could be different, but best practice is to keep them the same as r & s.

John   
On 2012-05-27, at 7:43 PM, hideki nara wrote:

> Hi all,
> 
> I'm developing JWS library with C# and Python.
> Could someone please describe why the byte length of ECDSA signature,
> r and s,  is 32 ?
> 
> Thanks in advance.
> ---
> hdknr
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list