Sign
Nonce k. r = (k·G).x mod n. s = k^(-1) · (H(m) + r·d) mod n. Signature = (r, s).
Advertisement
Verify
Compute u1 = H(m)·s^(-1), u2 = r·s^(-1). Check r == (u1·G + u2·P).x.
Advertisement
Nonce disaster
Reusing k across two signatures leaks private key. Sony PS3 signed all games with same k → full private key recovery.
RFC 6979 deterministic k
Derive nonce deterministically from private key + message hash. Prevents nonce reuse. Widely adopted.