ECDSA: The Signature Algorithm Powering EUDI Wallet Credentials

ECDSA is the digital signature algorithm used throughout the EUDI Wallet ecosystem for signing credentials, proving device ownership, and authenticating communication. Built on elliptic curve cryptography, ECDSA provides compact, efficient signatures essential for mobile identity wallets.

ECDSA operates in two phases -- signing and verification -- each involving mathematical operations on an elliptic curve:

Signing (performed by the credential issuer or wallet device): The signer computes a cryptographic hash of the message (e.g., SHA-256 of the credential content). They generate a random nonce k, compute a point (x, y) = kG on the curve (where G is the generator point), and derive the signature components r = x mod n and s = k¹(hash + r*privateKey) mod n. The signature (r, s) is a pair of integers, each 32 bytes long for the P-256 curve, totaling just 64 bytes.

Verification (performed by the credential verifier): The verifier computes the same hash of the message, then uses the signer's public key to verify the mathematical relationship between the hash, the signature (r, s), and the public key. If the relationship holds, the signature is valid. Verification confirms two things simultaneously: the message has not been altered (integrity) and the signature was created by someone with access to the corresponding private key (authenticity). No secret information is needed for verification -- only the public key.

ECDSA is used at multiple points in the EUDI credential lifecycle:

• •Issuer credential signature: When an issuer creates an SD-JWT credential, the JWT header specifies "alg": "ES256" (ECDSA with P-256 and SHA-256). The entire JWT payload including all claims and the holder's device public key (cnf claim) is signed. For mdoc, the COSE_Sign1 structure in the Mobile Security Object uses the same ECDSA algorithm.
• •Device binding proof: During credential presentation, the wallet signs a Key Binding JWT (for SD-JWT) or deviceAuth structure (for mdoc) using ECDSA with the device private key stored in the secure element. This proves the presenter controls the device the credential is bound to.
• •Certificate chain: The issuer certificate, intermediate CA certificates, and potentially the root CA certificate all use ECDSA signatures. Verifiers validate this entire chain to establish trust from the credential back to the EU Trusted List root.

While ECDSA is well-established and widely deployed, its security depends on correct implementation. The most critical requirement is proper nonce generation during signing. If two signatures use the same nonce k with the same private key, an attacker can algebraically recover the private key from the two signatures. This is not a theoretical concern -- it has been exploited in real attacks against Sony PlayStation 3 and various cryptocurrency wallets.

EUDI Wallet implementations mitigate this risk by using deterministic nonce generation (RFC 6979), which derives the nonce from the private key and message hash rather than relying on random number generation. Secure element hardware further protects against nonce leakage through side-channel attacks by implementing constant-time ECDSA operations that do not leak timing information.

For long-term security, the EUDI ecosystem monitors advances in quantum computing. ECDSA on P-256 is vulnerable to quantum attack via Shor's algorithm. The architecture supports crypto-agility -- the ability to transition to post-quantum signature algorithms (such as ML-DSA/Dilithium) when quantum threats materialize, without requiring a complete redesign of the credential infrastructure.