🔐 Passkeys Cryptography

Interactive Visual Guide to ECDSA Signing

Phase 1: Initial Setup (Registration)

📍

Generator G

Fixed point on curve

→

🔑

Private Key d

Random secret number

→

🔓

Public Key Q

Q = d × G

→

🖥️

Server

Stores Q only

1 Generate Private Key

Your device creates a random large number called the private key d. This is your permanent secret, stored securely in your device's secure enclave.

d = random_large_number()

2 Compute Public Key

Using elliptic curve math, multiply the generator point G by your private key d to get your public key Q.

Q = d × G

Key insight: Computing Q from d is easy, but computing d from Q is virtually impossible!

3 Share Public Key

Your device sends Q to the server during registration. The private key d never leaves your device.

Phase 2: Authentication (Signing the Challenge)

🎲

Challenge H

From server

🎯

Nonce k

Fresh random number

→

✍️

Signature (r, s)

Proof of possession

→

✅

Verification

Server checks

4 Server Sends Challenge

The server generates a random challenge H (usually a hash of random data plus the domain name) and sends it to your device.

H = hash(random_data + domain)

5 Generate Fresh Nonce

Your device creates a new random number k for this signature only. This ensures each signature is unique, even for the same challenge.

k = random_number()

6 Create Curve Point R

Multiply the generator G by the nonce k to get a new point R on the elliptic curve. This point has coordinates (x, y).

R = k × G = (x, y)

7 Extract r from R

Take the x-coordinate of point R and call it r. This becomes the first part of your signature.

r = x-coordinate of R

8 Compute s Using Private Key

Now the magic happens! Calculate s using your private key d, the challenge H, the value r, and the nonce k.

s = k⁻¹ × (H + r × d) mod n

Where k⁻¹ is the modular inverse of k, and n is the curve order.

9 Send Signature to Server

Your device sends the pair (r, s) to the server. Notice that neither your private key d nor the nonce k are sent!

10 Server Verifies Signature

The server uses your public key Q, the challenge H, and the signature (r, s) to verify you possess the private key, without ever learning what d is.

Verify: signature_valid(Q, H, r, s) → ✅ or ❌

🔑 Variable Reference

G Generator: Fixed point on the elliptic curve (everyone knows this)

d Private Key: Your permanent secret number (never leaves your device)

Q Public Key: Derived from d, shared with server (Q = d × G)

H Challenge: Random data from server (changes each time)

k Nonce: Temporary random number for this signature only

R Curve Point: Temporary point computed as k × G

r First part of signature: x-coordinate of R

s Second part of signature: Computed using d, H, r, and k

n Curve Order: Fixed parameter of the elliptic curve